Skip to main content

Zulip Server

39 CVEs product

Monthly

CVE-2026-24050 MEDIUM PATCH This Month

Stored cross-site scripting in Zulip Server versions 5.0 through 11.4 allows authenticated attackers to execute arbitrary JavaScript through malicious group or channel names when administrators interact with user profile management features. An attacker with the ability to create or modify groups/channels can inject payloads that execute in the context of an administrator's session, potentially compromising account security or sensitive data. A patch is available in version 11.5.

XSS Zulip Server
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-52559 MEDIUM PATCH This Month

Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a preview of what the email weekly digest would contain. This URL, though not the digest itself, contains a cross-site scripting (XSS) vulnerability in both topic names and channel names. This issue has been fixed in Zulip Server 10.4. A workaround for this issue involves denying access to /digest/.

XSS Debian Zulip Server
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-31478 HIGH This Week

Zulip is an open-source team collaboration tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Zulip Server
NVD GitHub
CVSS 3.1
8.2
EPSS
0.2%
CVE-2025-30369 LOW PATCH Monitor

Zulip is an open-source team collaboration tool. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Zulip Server
NVD GitHub
CVSS 3.1
2.7
EPSS
0.2%
CVE-2025-27149 MEDIUM This Month

Zulip server provides an open-source team chat that helps teams stay productive and focused. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zulip Server
NVD GitHub
CVSS 4.0
4.6
EPSS
0.2%
CVE-2024-56136 MEDIUM PATCH This Month

Zulip server provides an open-source team chat that helps teams stay productive and focused. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Zulip Server
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2024-36612 HIGH PATCH This Week

Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Zulip Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-27286 MEDIUM PATCH This Month

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Zulip Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-21630 MEDIUM PATCH This Month

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Zulip Server
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2023-47642 MEDIUM PATCH This Month

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Zulip Server
NVD GitHub
CVSS 3.1
4.3
EPSS
0.5%
CVE-2023-32678 MEDIUM This Month

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Zulip Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-33186 MEDIUM PATCH This Month

Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Zulip Server
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2023-22735 MEDIUM PATCH This Month

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Zulip Server
NVD GitHub
CVSS 3.1
4.6
EPSS
0.5%
CVE-2022-41914 LOW PATCH Monitor

Zulip is an open-source team collaboration tool. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Zulip Server
NVD GitHub
CVSS 3.1
3.7
EPSS
0.5%
CVE-2022-31134 MEDIUM This Month

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zulip Server
NVD GitHub
CVSS 3.1
4.9
EPSS
0.9%
CVE-2022-23656 MEDIUM PATCH This Month

Zulip is an open source team chat app. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Zulip Server
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-21706 CRITICAL PATCH Act Now

Zulip is an open-source team collaboration tool with topic-based threading. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Zulip Server
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2021-30487 LOW Monitor

In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zulip Server
NVD
CVSS 3.1
2.7
EPSS
0.7%
CVE-2021-30479 MEDIUM This Month

An issue was discovered in Zulip Server before 3.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Zulip Server
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2021-30478 MEDIUM This Month

An issue was discovered in Zulip Server before 3.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Zulip Server
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2021-30477 MEDIUM This Month

An issue was discovered in Zulip Server before 3.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zulip Server
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-15070 HIGH This Week

Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres database, and chose to write a crafted custom profile field value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PostgreSQL Zulip Server
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2020-14215 HIGH This Week

Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrator role to invitations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Zulip Server
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2020-14194 MEDIUM This Month

Zulip Server before 2.1.5 allows reverse tabnapping via a topic header link. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Zulip Server
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-12759 MEDIUM This Month

Zulip Server before 2.1.5 allows reflected XSS via the Dropbox webhook. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-9445 MEDIUM This Month

Zulip Server before 2.1.3 allows XSS via the modal_link feature in the Markdown functionality. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-9444 MEDIUM This Month

Zulip Server before 2.1.3 allows reverse tabnabbing via the Markdown functionality. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-10935 MEDIUM POC This Month

Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zulip Server
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2019-19775 MEDIUM PATCH This Month

The image thumbnailing handler in Zulip Server versions 1.9.0 to before 2.0.8 allowed an open redirect that was visible to logged-in users. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Zulip Server
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2019-18933 CRITICAL PATCH Act Now

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or Google SSO) in an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Google Information Disclosure Zulip Server
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2019-16216 MEDIUM PATCH This Month

Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Zulip Server
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2019-16215 MEDIUM PATCH This Month

The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Zulip Server
NVD GitHub
CVSS 3.1
6.5
EPSS
1.2%
CVE-2018-9999 MEDIUM This Month

In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2018-9990 MEDIUM This Month

In Zulip Server versions before 1.7.2, there was an XSS issue with stream names in topic typeahead. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2018-9987 MEDIUM This Month

In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there was an XSS issue with muting notifications. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2018-9986 MEDIUM This Month

In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2017-0910 HIGH PATCH This Week

In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Zulip Server
NVD GitHub
CVSS 3.0
8.8
EPSS
0.2%
CVE-2017-0896 MEDIUM PATCH This Month

Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Zulip Server
NVD GitHub
CVSS 3.0
6.5
EPSS
0.1%
CVE-2017-0881 MEDIUM PATCH This Month

An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Zulip Server
NVD GitHub
CVSS 3.0
4.3
EPSS
0.2%
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Zulip Server versions 5.0 through 11.4 allows authenticated attackers to execute arbitrary JavaScript through malicious group or channel names when administrators interact with user profile management features. An attacker with the ability to create or modify groups/channels can inject payloads that execute in the context of an administrator's session, potentially compromising account security or sensitive data. A patch is available in version 11.5.

XSS Zulip Server
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a preview of what the email weekly digest would contain. This URL, though not the digest itself, contains a cross-site scripting (XSS) vulnerability in both topic names and channel names. This issue has been fixed in Zulip Server 10.4. A workaround for this issue involves denying access to /digest/.

XSS Debian Zulip Server
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Zulip is an open-source team collaboration tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Zulip Server
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Zulip is an open-source team collaboration tool. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Zulip Server
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Zulip server provides an open-source team chat that helps teams stay productive and focused. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zulip Server
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Zulip server provides an open-source team chat that helps teams stay productive and focused. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Zulip Server
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Zulip Server
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Zulip Server
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Zulip Server
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Zulip Server
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Zulip Server
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Zulip Server
NVD GitHub
EPSS 1% CVSS 4.6
MEDIUM PATCH This Month

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Zulip Server
NVD GitHub
EPSS 1% CVSS 3.7
LOW PATCH Monitor

Zulip is an open-source team collaboration tool. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Zulip Server
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM This Month

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zulip Server
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Zulip is an open source team chat app. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Zulip Server
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Zulip is an open-source team collaboration tool with topic-based threading. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Zulip Server
NVD GitHub
EPSS 1% CVSS 2.7
LOW Monitor

In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zulip Server
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

An issue was discovered in Zulip Server before 3.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Zulip Server
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

An issue was discovered in Zulip Server before 3.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Zulip Server
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

An issue was discovered in Zulip Server before 3.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zulip Server
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres database, and chose to write a crafted custom profile field value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PostgreSQL +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrator role to invitations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Zulip Server
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Zulip Server before 2.1.5 allows reverse tabnapping via a topic header link. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Zulip Server
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Zulip Server before 2.1.5 allows reflected XSS via the Dropbox webhook. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Zulip Server before 2.1.3 allows XSS via the modal_link feature in the Markdown functionality. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Zulip Server before 2.1.3 allows reverse tabnabbing via the Markdown functionality. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zulip Server
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The image thumbnailing handler in Zulip Server versions 1.9.0 to before 2.0.8 allowed an open redirect that was visible to logged-in users. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Zulip Server
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or Google SSO) in an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Google Information Disclosure Zulip Server
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Zulip Server
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Zulip Server
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM This Month

In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

In Zulip Server versions before 1.7.2, there was an XSS issue with stream names in topic typeahead. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there was an XSS issue with muting notifications. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Zulip Server
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Zulip Server
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Zulip Server
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy