Unrated severityNVD Advisory· Published Feb 6, 2026· Updated Feb 9, 2026

Zulip affected by Stored XSS in user profile modal

CVE-2026-24050

Description

Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting these vulnerabilities required the user explicitly interacting with the problematic object. This vulnerability is fixed in 11.5.

Affected products

Zulip/Zulipv5
Range: >= 5.0, < 11.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/zulip/zulip/commit/e6093d9e4788f4d82236d856c5ed7b16767886a7mitrex_refsource_MISC
github.com/zulip/zulip/releases/tag/11.5mitrex_refsource_MISC
github.com/zulip/zulip/security/advisories/GHSA-56qv-8823-6fq9mitrex_refsource_CONFIRM
zulip.readthedocs.io/en/latest/overview/changelog.htmlmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000