CVE-2026-33368

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration Suite versions 10.0 and 10.1

Description The application does not properly sanitize user-supplied input, leading to a reflected cross-site scripting (XSS) issue in the Classic Webmail REST interface /h/rest. An unauthenticated attacker can inject malicious JavaScript into a crafted URL. When a victim user accesses the link, the injected script executes within the Zimbra webmail application, potentially allowing the attacker to perform actions on behalf of the victim.

Recommendations Zimbra Collaboration Suite version 10.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Zimbra Collaboration Suite version 10.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability.