Synacor Zimbra Collaboration Suite — known CVE vulnerabilities
Every CVE whose affected-product data names Synacor Zimbra Collaboration Suite, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVE-2019-6980 — CVSS 9.8 (critical): Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11 allows insecure object deserialization in the IMAP component.
CVE-2016-9924 — CVSS 9.8 (critical): Zimbra Collaboration Suite (ZCS) before 8.7.4 allows remote attackers to conduct XML External Entity (XXE) attacks.
CVE-2017-6813 — CVSS 9.8 (critical): A service provided by Zimbra Collaboration Suite (ZCS) before 8.7.6 fails to require needed privileges before performing a few requested…
CVE-2017-6821 — CVSS 9.8 (critical): Directory traversal vulnerability in Zimbra Collaboration Suite (aka ZCS) before 8.7.6 allows attackers to have unspecified impact via…
CVE-2018-20160 — CVSS 9.8 (critical): ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products…
CVE-2016-3415 — CVSS 9.1 (critical): Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276.
CVE-2026-33373 — CVSS 8.8 (high): An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web…
CVE-2025-32354 — CVSS 8.8 (high): In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint…
CVE-2025-25064 — CVSS 8.8 (high): SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4…
CVE-2015-7610 — CVSS 8.8 (high): Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x…
CVE-2016-3403 — CVSS 8.8 (high): Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Zimbra Collaboration before 8.6.0 Patch 8 allow remote…
CVE-2016-3406 — CVSS 8.8 (high): Multiple cross-site request forgery (CSRF) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to hijack the…
CVE-2020-12846 — CVSS 8.0 (high): Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of…
CVE-2022-3569 — CVSS 7.8 (high): Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in…
CVE-2016-3413 — CVSS 7.5 (high): Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug…
CVE-2024-54663 — CVSS 7.5 (high): An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI)…
CVE-2016-4019 — CVSS 7.5 (high): Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug…
CVE-2013-5119 — CVSS 6.8 (medium): Zimbra Collaboration Suite (ZCS) 6.0.16 and earlier allows man-in-the-middle attackers to obtain access by sniffing the network and…
CVE-2016-3401 — CVSS 6.5 (medium): Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote authenticated users to affect integrity via unknown vectors…
CVE-2018-10951 — CVSS 6.5 (medium): mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey…
CVE-2016-3414 — CVSS 6.5 (medium): Unspecified vulnerability in Zimbra Collaboration before 8.6.0 Patch 7 allows remote authenticated users to affect availability via unknown…
CVE-2016-3408 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or…
CVE-2018-14425 — CVSS 6.1 (medium): There is a Persistent XSS vulnerability in the briefcase component of Synacor Zimbra Collaboration Suite (ZCS) Zimbra Web Client (ZWC)…
CVE-2018-18631 — CVSS 6.1 (medium): mailboxd component in Synacor Zimbra Collaboration Suite 8.6, 8.7 before 8.7.11 Patch 7, and 8.8 before 8.8.10 Patch 2 has Persistent XSS.
CVE-2020-18984 — CVSS 6.1 (medium): A reflected cross-site scripting (XSS) vulnerability in the zimbraAdmin/public/secureRequest.jsp component of Zimbra Collaboration 8.8.12…
CVE-2020-18985 — CVSS 6.1 (medium): An issue in /domain/service/.ewell-known/caldav of Zimbra Collaboration 8.8.12 allows attackers to redirect users to any arbitrary website…
CVE-2024-45516 — CVSS 6.1 (medium): An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before…
CVE-2016-3410 — CVSS 6.1 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web…
CVE-2024-50599 — CVSS 6.1 (medium): A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Zimbra Collaboration Suite (ZCS) 8.8.15, affecting one of the…
CVE-2016-3409 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or…
CVE-2018-14013 — CVSS 6.1 (medium): Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients.
CVE-2016-3407 — CVSS 6.1 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web…
CVE-2015-7609 — CVSS 6.1 (medium): Synacor Zimbra Mail Client 8.6 before 8.6.0 Patch 5 has XSS via the error/warning dialog and email body content in Zimbra.
CVE-2026-33368 — CVSS 6.1 (medium): Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST…
CVE-2026-33370 — CVSS 6.1 (medium): An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra…
CVE-2018-10939 — CVSS 6.1 (medium): Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact…
CVE-2020-13653 — CVSS 6.1 (medium): An XSS vulnerability exists in the Webmail component of Zimbra Collaboration Suite before 8.8.15 Patch 11. It allows an attacker to inject…
CVE-2024-45510 — CVSS 5.4 (medium): An issue was discovered in Zimbra Collaboration (ZCS) through 10.0. Zimbra Webmail (Modern UI) is vulnerable to a stored Cross-Site…
CVE-2024-45511 — CVSS 5.4 (medium): An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A reflected Cross-Site Scripting (XSS) issue exists through the…
CVE-2024-45512 — CVSS 5.4 (medium): An issue was discovered in webmail in Zimbra Collaboration (ZCS) through 10.1. An attacker can exploit this vulnerability by creating a…
CVE-2024-45514 — CVSS 5.4 (medium): An issue was discovered in Zimbra Collaboration (ZCS) through v10.1. A Cross-Site Scripting (XSS) vulnerability exists in one of the…
CVE-2024-45517 — CVSS 5.4 (medium): An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of…
CVE-2026-33372 — CVSS 5.4 (medium): An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-site request forgery (CSRF) vulnerability exists in Zimbra…
CVE-2020-8633 — CVSS 5.3 (medium): An issue was discovered in Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7. When grantors revoked a shared calendar in Outlook, the…
CVE-2018-10950 — CVSS 5.3 (medium): mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows Information Exposure…
CVE-2018-15131 — CVSS 5.3 (medium): An issue was discovered in Synacor Zimbra Collaboration Suite 8.6.x before 8.6.0 Patch 11, 8.7.x before 8.7.11 Patch 6, 8.8.x before 8.8.8…
CVE-2018-10949 — CVSS 5.3 (medium): mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a…
CVE-2025-25065 — CVSS 5.3 (medium): SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4…
CVE-2013-7091 — CVSS 5.0 (medium): Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2…
CVE-2018-10948 — CVSS 4.8 (medium): Synacor Zimbra Admin UI in Zimbra Collaboration Suite before 8.8.0 beta 2 has Persistent XSS via mail addrs.
CVE-2024-45194 — CVSS 4.8 (medium): In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS)…
CVE-2024-45513 — CVSS 4.8 (medium): An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A stored Cross-Site Scripting (XSS) vulnerability exists in the…
CVE-2026-33369 — CVSS 4.3 (medium): Zimbra Collaboration (ZCS) 10.0 and 10.1 contains an LDAP injection vulnerability in the Mailbox SOAP service within a FolderAction…
CVE-2026-33371 — CVSS 4.3 (medium): An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra…