Zulip Server
by Zulip
Source repositories
CVEs (35)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-0910 | Hig | 0.57 | 8.8 | 0.01 | Nov 27, 2017 | In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm. | ||
| CVE-2017-0896 | Med | 0.42 | 6.5 | 0.01 | Jun 2, 2017 | Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured… | ||
| CVE-2018-9990 | Med | 0.40 | 6.1 | 0.01 | Apr 18, 2018 | In Zulip Server versions before 1.7.2, there was an XSS issue with stream names in topic typeahead. | ||
| CVE-2018-9987 | Med | 0.40 | 6.1 | 0.01 | Apr 18, 2018 | In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there was an XSS issue with muting notifications. | ||
| CVE-2018-9986 | Med | 0.40 | 6.1 | 0.01 | Apr 18, 2018 | In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor. | ||
| CVE-2026-40300 | Med | 0.35 | 6.5 | 0.00 | May 12, 2026 | Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users'… | ||
| CVE-2018-9999 | Med | 0.35 | 5.4 | 0.01 | Apr 18, 2018 | In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend. | ||
| CVE-2017-0881 | Med | 0.28 | 4.3 | 0.01 | Mar 28, 2017 | An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to… | ||
| CVE-2025-52559 | 0.00 | — | 0.00 | Jul 2, 2025 | Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a preview of what the email weekly digest would contain. This URL, though not the digest itself, contains a cross-site scripting (XSS)… | |||
| CVE-2025-30369 | 0.00 | — | 0.00 | Mar 31, 2025 | Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an… | |||
| CVE-2025-30368 | 0.00 | — | 0.00 | Mar 31, 2025 | Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of… | |||
| CVE-2024-56136 | 0.00 | — | 0.01 | Jan 16, 2025 | Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulnerable to an information disclose attack, where, if a Zulip server is hosting multiple organizations, an unauthenticated user can make a request and… | |||
| CVE-2024-27286 | 0.00 | — | 0.01 | Mar 20, 2024 | Zulip is an open-source team collaboration tool. When a user moves a Zulip message, they have the option to move all messages in the topic, move only subsequent messages as well, or move just a single message. If the user chose to just move one message, and was moving it from a… | |||
| CVE-2023-33186 | 0.00 | — | 0.01 | May 30, 2023 | Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. The main development branch of Zulip Server from May 2, 2023 and later, including beta versions 7.0-beta1 and… | |||
| CVE-2023-32677 | 0.00 | — | 0.01 | May 19, 2023 | Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows… | |||
| CVE-2022-36048 | 0.00 | — | 0.00 | Aug 31, 2022 | Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could… | |||
| CVE-2022-31134 | 0.00 | — | 0.01 | Jul 12, 2022 | Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to… | |||
| CVE-2022-31017 | 0.00 | — | 0.01 | Jun 25, 2022 | Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when… | |||
| CVE-2022-23656 | 0.00 | — | 0.01 | Mar 2, 2022 | Zulip is an open source team chat app. The `main` development branch of Zulip Server from June 2021 and later is vulnerable to a cross-site scripting vulnerability on the recent topics page. An attacker could maliciously craft a full name for their account and send messages to a… | |||
| CVE-2022-21706 | 0.00 | — | 0.01 | Feb 25, 2022 | Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack… |
- risk 0.57cvss 8.8epss 0.01
In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm.
- risk 0.42cvss 6.5epss 0.01
Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured…
- risk 0.40cvss 6.1epss 0.01
In Zulip Server versions before 1.7.2, there was an XSS issue with stream names in topic typeahead.
- risk 0.40cvss 6.1epss 0.01
In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there was an XSS issue with muting notifications.
- risk 0.40cvss 6.1epss 0.01
In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor.
- risk 0.35cvss 6.5epss 0.00
Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users'…
- risk 0.35cvss 5.4epss 0.01
In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend.
- risk 0.28cvss 4.3epss 0.01
An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to…
- CVE-2025-52559Jul 2, 2025risk 0.00cvss —epss 0.00
Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a preview of what the email weekly digest would contain. This URL, though not the digest itself, contains a cross-site scripting (XSS)…
- CVE-2025-30369Mar 31, 2025risk 0.00cvss —epss 0.00
Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an…
- CVE-2025-30368Mar 31, 2025risk 0.00cvss —epss 0.00
Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of…
- CVE-2024-56136Jan 16, 2025risk 0.00cvss —epss 0.01
Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulnerable to an information disclose attack, where, if a Zulip server is hosting multiple organizations, an unauthenticated user can make a request and…
- CVE-2024-27286Mar 20, 2024risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool. When a user moves a Zulip message, they have the option to move all messages in the topic, move only subsequent messages as well, or move just a single message. If the user chose to just move one message, and was moving it from a…
- CVE-2023-33186May 30, 2023risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. The main development branch of Zulip Server from May 2, 2023 and later, including beta versions 7.0-beta1 and…
- CVE-2023-32677May 19, 2023risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows…
- CVE-2022-36048Aug 31, 2022risk 0.00cvss —epss 0.00
Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could…
- CVE-2022-31134Jul 12, 2022risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to…
- CVE-2022-31017Jun 25, 2022risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when…
- CVE-2022-23656Mar 2, 2022risk 0.00cvss —epss 0.01
Zulip is an open source team chat app. The `main` development branch of Zulip Server from June 2021 and later is vulnerable to a cross-site scripting vulnerability on the recent topics page. An attacker could maliciously craft a full name for their account and send messages to a…
- CVE-2022-21706Feb 25, 2022risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack…
Page 1 of 2