Zulip's payment method update API endpoint in the upgrade flow lacks proper authorization checks, allowing any organization member to modify the default payment method by completing a Stripe Checkout session. This vulnerability affected Zulip Cloud users and has been patched; self-hosted deployments are not impacted and require no action.
Authentication Bypass
NVD
GitHub
CVSS 3.1
7.1
EPSS
0.0%
s standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions up to 1.3.1. contains a security vulnerability.
Information Disclosure
Mcp Go Sdk
NVD
GitHub
VulDB
CVSS 4.0
7.0
EPSS
0.1%
Prev
Page 2 of 2