CVE-2026-33372

low-risk
Published 2026-03-20

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-site request forgery (CSRF) vulnerability exists in Zimbra Webmail due to improper validation of CSRF tokens. The application accepts CSRF tokens supplied within the request body instead of requiring them through the expected request header. An attacker can exploit this issue by tricking an authenticated user into submitting a crafted request. This may allow unauthorized actions to be performed on behalf of the victim.

Do I need to act?

-
0.03% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Synacor

References (4)

Vendor Advisory https://wiki.zimbra.com/wiki/Security_Center
Release Notes https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes
Product https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
Vendor Advisory https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal