Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

zulip — Vulnerabilities & Security Advisories 36

Browse all 36 CVE security advisories affecting zulip. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Zulip is an open-source team communication platform designed to facilitate organized, topic-based discussions, primarily serving enterprise and developer communities. With 36 recorded Common Vulnerabilities and Exposures (CVEs), its security history reflects typical web application risks. Historically, the software has been susceptible to cross-site scripting (XSS) and server-side request forgery (SSRF), often stemming from insufficient input validation in its web interface. While remote code execution (RCE) incidents are rare, privilege escalation vulnerabilities have occasionally allowed unauthorized users to access restricted administrative features. The platform employs standard encryption for data in transit and at rest, yet past incidents highlight the importance of rigorous code auditing. Recent updates have focused on hardening API endpoints and improving session management. Despite these challenges, Zulip maintains a transparent vulnerability disclosure process, allowing organizations to assess risk based on their specific deployment configurations and patch management capabilities.

Top products by zulip: zulip Zulip Server zulip/zulip zulip-mobile
CVE IDTitleCVSSSeverityPublished
CVE-2026-26058 Zulip: Path Traversal in Import — zulipCWE-22 6.1 Medium2026-04-03
CVE-2026-25742 Zulip: Anonymous File Access After Disabling Spectator Access — zulipCWE-862 5.3 Medium2026-04-03
CVE-2026-25741 Zulip Vulnerable to Modification of Payment Method (Stripe Default Card) by Non-Billing Users — zulipCWE-863 7.1 High2026-02-26
CVE-2026-24050 Zulip affected by Stored XSS in user profile modal — zulipCWE-79 5.4AIMediumAI2026-02-06
CVE-2025-52559 Zulip XSS in digest preview URL — zulipCWE-79 6.8 Medium2025-07-02
CVE-2025-47930 Zulip Server has access control bypass for restrictions on creation of specific channel types — zulipCWE-863 6.5AIMediumAI2025-05-15
CVE-2025-31478 Zulip Authentication Backend Configuration Bypass — zulipCWE-287 8.2 High2025-04-16
CVE-2025-30369 Zulip allows the deletion of Custom profile fields by administrators of a different organization — zulipCWE-566 2.7 Low2025-03-31
CVE-2025-30368 Zulip allows the deletion of organization by administrators of a different organization — zulipCWE-566 2.7 Low2025-03-31
CVE-2025-27149 Zulip exports can leak private data — zulipCWE-497 6.5 -2025-03-31
CVE-2025-25195 Zulip events can leak private channel names — zulipCWE-200 4.3 Medium2025-02-13
CVE-2024-56136 /api/v1/jwt/fetch_api_key endpoint can leak if an email address has an account in Zulip server — zulipCWE-200 5.3 -2025-01-16
CVE-2024-27286 Moving single messages from public to private streams leaves them accessible — zulipCWE-200 6.5 Medium2024-03-20
CVE-2024-21630 Zulip non-admins can invite new users to streams they would not otherwise be able to add existing users to — zulipCWE-862 4.3 Medium2024-01-25
CVE-2023-47642 Stream description leaks to ex-subscribers in Zulip — zulipCWE-200 4.3 Medium2023-11-16
CVE-2023-32678 Zulip vulnerable to insufficient authorization check for edition/deletion of messages and topics in private streams by former subscribers — zulipCWE-285 6.5 Medium2023-08-25
CVE-2023-33186 Cross-site scripting vulnerability in Zulip Server development branch via topic tooltip — zulipCWE-79 8.2 High2023-05-30
CVE-2023-28623 Unauthorized user can register an account in specific configurations in Zulip — zulipCWE-285 6.5 Medium2023-05-19
CVE-2023-32677 Users who can send invitations can erroneously add users to streams during invitation in Zulip — zulipCWE-862 3.1 Low2023-05-19
CVE-2023-22735 User uploads proxied from S3 lack `Content-Security-Policy` headers, may be served with `Content-Disposition: inline` in zulip — zulipCWE-436 4.4 Medium2023-02-07
CVE-2022-41914 Non-constant-time SCIM token comparison in Zulip Server — zulipCWE-200 3.7 Low2022-11-16
CVE-2022-36048 IP address leak via image proxy bypass in Zulip Server — zulipCWE-436 4.3 Medium2022-08-31
CVE-2022-35962 Crafted link in Zulip message can cause disclosure of credentials — zulip-mobileCWE-184 8.0 High2022-08-29
CVE-2022-31168 Zulip Server insufficient authorization for changing bot roles — zulipCWE-285 5.4 Medium2022-07-22
CVE-2022-31134 Zulip Server public data export contains attachments that are non-public — zulipCWE-200 4.9 Medium2022-07-12
CVE-2022-31017 Expression Always True vulnerability in Zulip Server — zulipCWE-571 2.0 Low2022-06-25
CVE-2022-24751 Race condition in Zulip — zulipCWE-362 5.4 Medium2022-03-16
CVE-2022-23656 Cross-site scripting vulnerability in Zulip Server — zulipCWE-79 4.6 Medium2022-03-02
CVE-2021-3967 Improper Access Control in zulip/zulip — zulip/zulipCWE-284 8.8 -2022-02-26
CVE-2022-21706 Multi-use invitations can grant access to other organizations in Zulip — zulipCWE-863 7.2 High2022-02-25

This page lists every published CVE security advisory associated with zulip. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.