zulip — Vulnerabilities & Security Advisories 33

All 33 CVE vulnerabilities found in zulip, with AI-generated Chinese analysis, references, and POCs.

Vendor: n/a

CVE ID	Title	CVSS	Severity	Published
CVE-2026-26058	Zulip: Path Traversal in Import CWE-22	6.1	Medium	2026-04-03
CVE-2026-25742	Zulip: Anonymous File Access After Disabling Spectator Access CWE-862	5.3	Medium	2026-04-03
CVE-2026-25741	Zulip Vulnerable to Modification of Payment Method (Stripe Default Card) by Non-Billing Users CWE-863	7.1	High	2026-02-26
CVE-2026-24050	Zulip affected by Stored XSS in user profile modal CWE-79	5.4^AI	Medium^AI	2026-02-06
CVE-2025-52559	Zulip XSS in digest preview URL CWE-79	6.8	Medium	2025-07-02
CVE-2025-47930	Zulip Server has access control bypass for restrictions on creation of specific channel types CWE-863	6.5^AI	Medium^AI	2025-05-15
CVE-2025-31478	Zulip Authentication Backend Configuration Bypass CWE-287	8.2	High	2025-04-16
CVE-2025-30369	Zulip allows the deletion of Custom profile fields by administrators of a different organization CWE-566	2.7	Low	2025-03-31
CVE-2025-30368	Zulip allows the deletion of organization by administrators of a different organization CWE-566	2.7	Low	2025-03-31
CVE-2025-27149	Zulip exports can leak private data CWE-497	6.5	-	2025-03-31
CVE-2025-25195	Zulip events can leak private channel names CWE-200	4.3	Medium	2025-02-13
CVE-2024-56136	/api/v1/jwt/fetch_api_key endpoint can leak if an email address has an account in Zulip server CWE-200	5.3	-	2025-01-16
CVE-2024-27286	Moving single messages from public to private streams leaves them accessible CWE-200	6.5	Medium	2024-03-20
CVE-2024-21630	Zulip non-admins can invite new users to streams they would not otherwise be able to add existing users to CWE-862	4.3	Medium	2024-01-25
CVE-2023-47642	Stream description leaks to ex-subscribers in Zulip CWE-200	4.3	Medium	2023-11-16
CVE-2023-32678	Zulip vulnerable to insufficient authorization check for edition/deletion of messages and topics in private streams by former subscribers CWE-285	6.5	Medium	2023-08-25
CVE-2023-33186	Cross-site scripting vulnerability in Zulip Server development branch via topic tooltip CWE-79	8.2	High	2023-05-30
CVE-2023-28623	Unauthorized user can register an account in specific configurations in Zulip CWE-285	6.5	Medium	2023-05-19
CVE-2023-32677	Users who can send invitations can erroneously add users to streams during invitation in Zulip CWE-862	3.1	Low	2023-05-19
CVE-2023-22735	User uploads proxied from S3 lack `Content-Security-Policy` headers, may be served with `Content-Disposition: inline` in zulip CWE-436	4.4	Medium	2023-02-07
CVE-2022-41914	Non-constant-time SCIM token comparison in Zulip Server CWE-200	3.7	Low	2022-11-16
CVE-2022-36048	IP address leak via image proxy bypass in Zulip Server CWE-436	4.3	Medium	2022-08-31
CVE-2016-4427	Zulip 访问控制错误漏洞 CWE-284	5.9	-	2022-07-28
CVE-2016-4426	Zulip 安全漏洞 CWE-284	6.5	-	2022-07-28
CVE-2022-31168	Zulip Server insufficient authorization for changing bot roles CWE-285	5.4	Medium	2022-07-22
CVE-2022-31134	Zulip Server public data export contains attachments that are non-public CWE-200	4.9	Medium	2022-07-12
CVE-2022-31017	Expression Always True vulnerability in Zulip Server CWE-571	2.0	Low	2022-06-25
CVE-2022-24751	Race condition in Zulip CWE-362	5.4	Medium	2022-03-16
CVE-2022-23656	Cross-site scripting vulnerability in Zulip Server CWE-79	4.6	Medium	2022-03-02
CVE-2022-21706	Multi-use invitations can grant access to other organizations in Zulip CWE-863	7.2	High	2022-02-25

All 33 known CVE vulnerabilities affecting zulip with full Chinese analysis, references, and POCs where available.

Goal Reached Thanks to every supporter — we hit 100%!

zulip — Vulnerabilities & Security Advisories 33