ZIMBRA has rolled out a significant security update, releasing Zimbra 10.1.16 to address several vulnerabilities, with a strong recommendation for administrators and users to upgrade immediately. The patch fixes three injectable flaw categories, including XSS in Webmail and Briefcase file sharing, an authenticated LDAP injection on the backend, and an XXE vulnerability in the EWS SOAP endpoint.
In addition to these fixes, the release strengthens CSRF protection with proper token validation and notes improvements to overall stability, including the restoration of PDF preview functionality in Classic UI and mail rendering stability, both accompanied by new security safeguards. The update fundamentally tightens the product’s front-end and back-end security posture, making it harder for attackers to hijack sessions or manipulate directory queries.
With these changes, Zimbra 10.1.16 is positioned as a mandatory update for organisations looking to keep their email infrastructure secure and stable. 13 February 2026.