Skip to main content

Zulip

17 CVEs product

Monthly

CVE-2026-40300 MEDIUM PATCH This Month

{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This vulnerability is fixed in 12.0.

Authentication Bypass Zulip
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-26058 MEDIUM PATCH This Month

Path traversal in Zulip's ./manage.py import function allows local attackers to read arbitrary files from the server filesystem and copy them into the uploads directory via a crafted export tarball containing specially crafted paths in uploads/records.json. Zulip versions 1.4.0 through 11.5 are affected; the vulnerability requires local access and user interaction (import initiation) but can expose sensitive server data readable by the Zulip application user. No active exploitation has been confirmed; a vendor-released patch is available in version 11.6.

Path Traversal Zulip
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25742 MEDIUM PATCH This Month

Zulip versions 1.4.0 through 11.5 allow unauthenticated retrieval of attachments and topic history from web-public streams even after spectator access is disabled, due to incomplete access control on attachment serving and the /users/me/<stream_id>/topics endpoint. An attacker can bypass intended access restrictions to read file contents and stream metadata after public access is supposed to be revoked. The vulnerability affects all Zulip deployments that previously enabled spectator access and then disabled it. Vendor-released patch: version 11.6.

Authentication Bypass Zulip
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-47930 MEDIUM PATCH This Month

Zulip is an open-source team chat application. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Zulip
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-30368 LOW PATCH Monitor

Zulip is an open-source team collaboration tool. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Zulip
NVD GitHub
CVSS 3.1
2.7
EPSS
0.2%
CVE-2024-36624 MEDIUM PATCH This Month

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the construct_copy_div function in copy_and_paste.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Zulip
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-36625 MEDIUM PATCH This Month

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the replace_emoji_with_text function in ui_util.ts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Zulip
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-28623 LOW PATCH Monitor

Zulip is an open-source team collaboration tool with unique topic-based threading. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Zulip
NVD GitHub
CVSS 3.1
3.7
EPSS
0.5%
CVE-2023-32677 LOW PATCH Monitor

Zulip is an open-source team collaboration tool with unique topic-based threading. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Zulip
NVD GitHub
CVSS 3.1
3.1
EPSS
0.6%
CVE-2022-36048 MEDIUM This Month

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zulip
NVD GitHub
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-35962 MEDIUM This Month

Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apple Zulip
NVD GitHub
CVSS 3.1
5.7
EPSS
0.9%
CVE-2022-31168 HIGH PATCH This Week

Zulip is an open source team chat tool. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Zulip
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-31017 LOW Monitor

Zulip is an open-source team collaboration tool. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Zulip
NVD GitHub
CVSS 3.1
2.6
EPSS
0.5%
CVE-2022-24751 HIGH PATCH This Week

Zulip is an open source group chat application. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required.

Race Condition Information Disclosure Zulip
NVD GitHub
CVSS 3.1
7.4
EPSS
0.9%
CVE-2021-43791 MEDIUM PATCH This Month

Zulip is an open source group chat application that combines real-time chat with threaded conversations. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Zulip
NVD GitHub
CVSS 3.1
5.3
EPSS
0.6%
CVE-2021-41115 MEDIUM POC PATCH This Month

Zulip is an open source team chat server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Zulip
NVD GitHub
CVSS 3.1
6.5
EPSS
1.7%
CVE-2019-10476 Maven HIGH PATCH This Week

Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Jenkins Information Disclosure Zulip
NVD
CVSS 3.1
7.8
EPSS
0.3%
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This vulnerability is fixed in 12.0.

Authentication Bypass Zulip
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Path traversal in Zulip's ./manage.py import function allows local attackers to read arbitrary files from the server filesystem and copy them into the uploads directory via a crafted export tarball containing specially crafted paths in uploads/records.json. Zulip versions 1.4.0 through 11.5 are affected; the vulnerability requires local access and user interaction (import initiation) but can expose sensitive server data readable by the Zulip application user. No active exploitation has been confirmed; a vendor-released patch is available in version 11.6.

Path Traversal Zulip
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Zulip versions 1.4.0 through 11.5 allow unauthenticated retrieval of attachments and topic history from web-public streams even after spectator access is disabled, due to incomplete access control on attachment serving and the /users/me/<stream_id>/topics endpoint. An attacker can bypass intended access restrictions to read file contents and stream metadata after public access is supposed to be revoked. The vulnerability affects all Zulip deployments that previously enabled spectator access and then disabled it. Vendor-released patch: version 11.6.

Authentication Bypass Zulip
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Zulip is an open-source team chat application. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Zulip
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Zulip is an open-source team collaboration tool. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Zulip
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the construct_copy_div function in copy_and_paste.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Zulip
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the replace_emoji_with_text function in ui_util.ts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Zulip
NVD GitHub
EPSS 1% CVSS 3.7
LOW PATCH Monitor

Zulip is an open-source team collaboration tool with unique topic-based threading. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Zulip
NVD GitHub
EPSS 1% CVSS 3.1
LOW PATCH Monitor

Zulip is an open-source team collaboration tool with unique topic-based threading. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Zulip
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM This Month

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zulip
NVD GitHub
EPSS 1% CVSS 5.7
MEDIUM This Month

Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apple Zulip
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Zulip is an open source team chat tool. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Zulip
NVD GitHub
EPSS 1% CVSS 2.6
LOW Monitor

Zulip is an open-source team collaboration tool. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Zulip
NVD GitHub
EPSS 1% CVSS 7.4
HIGH PATCH This Week

Zulip is an open source group chat application. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required.

Race Condition Information Disclosure Zulip
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Zulip is an open source group chat application that combines real-time chat with threaded conversations. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Zulip
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

Zulip is an open source team chat server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Zulip
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Jenkins Information Disclosure Zulip
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy