This thread will study ZCS NE 10.1.16 (released on February 04, 2026) security fixes and their ZCS FOSS 10.1.16 counterpart commits.
Security fixes (From 10.1.16 NE)
- Restored mail rendering stability while maintaining the existing security protections.
- Addressed a XSS vulnerability in zimbra webmail
- Fixed an authenticated LDAP injection vulnerability by sanitizing user-controlled input.
- PDF attachment preview functionality has been restored in the Classic UI while maintaining security protections.
- Addressed a stored XSS vulnerability in the Briefcase feature caused by inline rendering of specific uploaded file types when shared publicly.
- Addressed an authenticated XXE vulnerability in the EWS SOAP endpoint.
- Fixed a CSRF validation issue where tokens were incorrectly accepted from the request body instead of the required header.
In order to recreate ZCS FOSS 10.1.16 as similar to ZCS NE 10.1.16 in a timely manner we need to figure out ways to either recreate these security fixes counterpart commits or find them in the repos (I might have overlooked them after all):
- Restored mail rendering stability while maintaining the existing security protections.
- Addressed a XSS vulnerability in zimbra webmail
- Fixed an authenticated LDAP injection vulnerability by sanitizing user-controlled input.
- PDF attachment preview functionality has been restored in the Classic UI while maintaining security protections.
- Addressed a stored XSS vulnerability in the Briefcase feature caused by inline rendering of specific uploaded file types when shared publicly.
- Fixed a CSRF validation issue where tokens were incorrectly accepted from the request body instead of the required header.
Extra resources
- You can check/update: Zimbra FOSS CVE commits wiki page where these commits can be tracked.