Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Zulip — Vulnerabilities & Security Advisories 36

Browse all 36 CVE security advisories affecting Zulip. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by Zulip:zulipZulip Serverzulip/zulipzulip-mobile
CVE IDTitleCVSSSeverityPublished
CVE-2026-26058 Zulip: Path Traversal in Import — zulipCWE-22 6.1 Medium2026-04-03
CVE-2026-25742 Zulip: Anonymous File Access After Disabling Spectator Access — zulipCWE-862 5.3 Medium2026-04-03
CVE-2026-25741 Zulip Vulnerable to Modification of Payment Method (Stripe Default Card) by Non-Billing Users — zulipCWE-863 7.1 High2026-02-26
CVE-2026-24050 Zulip affected by Stored XSS in user profile modal — zulipCWE-79 5.4AIMediumAI2026-02-06
CVE-2025-52559 Zulip XSS in digest preview URL — zulipCWE-79 6.8 Medium2025-07-02
CVE-2025-47930 Zulip Server has access control bypass for restrictions on creation of specific channel types — zulipCWE-863 6.5AIMediumAI2025-05-15
CVE-2025-31478 Zulip Authentication Backend Configuration Bypass — zulipCWE-287 8.2 High2025-04-16
CVE-2025-30369 Zulip allows the deletion of Custom profile fields by administrators of a different organization — zulipCWE-566 2.7 Low2025-03-31
CVE-2025-30368 Zulip allows the deletion of organization by administrators of a different organization — zulipCWE-566 2.7 Low2025-03-31
CVE-2025-27149 Zulip exports can leak private data — zulipCWE-497 6.5 -2025-03-31
CVE-2025-25195 Zulip events can leak private channel names — zulipCWE-200 4.3 Medium2025-02-13
CVE-2024-56136 /api/v1/jwt/fetch_api_key endpoint can leak if an email address has an account in Zulip server — zulipCWE-200 5.3 -2025-01-16
CVE-2024-27286 Moving single messages from public to private streams leaves them accessible — zulipCWE-200 6.5 Medium2024-03-20
CVE-2024-21630 Zulip non-admins can invite new users to streams they would not otherwise be able to add existing users to — zulipCWE-862 4.3 Medium2024-01-25
CVE-2023-47642 Stream description leaks to ex-subscribers in Zulip — zulipCWE-200 4.3 Medium2023-11-16
CVE-2023-32678 Zulip vulnerable to insufficient authorization check for edition/deletion of messages and topics in private streams by former subscribers — zulipCWE-285 6.5 Medium2023-08-25
CVE-2023-33186 Cross-site scripting vulnerability in Zulip Server development branch via topic tooltip — zulipCWE-79 8.2 High2023-05-30
CVE-2023-28623 Unauthorized user can register an account in specific configurations in Zulip — zulipCWE-285 6.5 Medium2023-05-19
CVE-2023-32677 Users who can send invitations can erroneously add users to streams during invitation in Zulip — zulipCWE-862 3.1 Low2023-05-19
CVE-2023-22735 User uploads proxied from S3 lack `Content-Security-Policy` headers, may be served with `Content-Disposition: inline` in zulip — zulipCWE-436 4.4 Medium2023-02-07
CVE-2022-41914 Non-constant-time SCIM token comparison in Zulip Server — zulipCWE-200 3.7 Low2022-11-16
CVE-2022-36048 IP address leak via image proxy bypass in Zulip Server — zulipCWE-436 4.3 Medium2022-08-31
CVE-2022-35962 Crafted link in Zulip message can cause disclosure of credentials — zulip-mobileCWE-184 8.0 High2022-08-29
CVE-2022-31168 Zulip Server insufficient authorization for changing bot roles — zulipCWE-285 5.4 Medium2022-07-22
CVE-2022-31134 Zulip Server public data export contains attachments that are non-public — zulipCWE-200 4.9 Medium2022-07-12
CVE-2022-31017 Expression Always True vulnerability in Zulip Server — zulipCWE-571 2.0 Low2022-06-25
CVE-2022-24751 Race condition in Zulip — zulipCWE-362 5.4 Medium2022-03-16
CVE-2022-23656 Cross-site scripting vulnerability in Zulip Server — zulipCWE-79 4.6 Medium2022-03-02
CVE-2021-3967 Improper Access Control in zulip/zulip — zulip/zulipCWE-284 8.8 -2022-02-26
CVE-2022-21706 Multi-use invitations can grant access to other organizations in Zulip — zulipCWE-863 7.2 High2022-02-25

This page lists every published CVE security advisory associated with Zulip. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.