VYPR

Zulip Server

by Zulip

Source repositories

CVEs (35)

  • CVE-2017-0910HigNov 27, 2017
    risk 0.57cvss 8.8epss 0.01

    In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm.

  • CVE-2017-0896MedJun 2, 2017
    risk 0.42cvss 6.5epss 0.01

    Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured…

  • CVE-2018-9990MedApr 18, 2018
    risk 0.40cvss 6.1epss 0.01

    In Zulip Server versions before 1.7.2, there was an XSS issue with stream names in topic typeahead.

  • CVE-2018-9987MedApr 18, 2018
    risk 0.40cvss 6.1epss 0.01

    In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there was an XSS issue with muting notifications.

  • CVE-2018-9986MedApr 18, 2018
    risk 0.40cvss 6.1epss 0.01

    In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor.

  • CVE-2026-40300MedMay 12, 2026
    risk 0.35cvss 6.5epss 0.00

    Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users'…

  • CVE-2018-9999MedApr 18, 2018
    risk 0.35cvss 5.4epss 0.01

    In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend.

  • CVE-2017-0881MedMar 28, 2017
    risk 0.28cvss 4.3epss 0.01

    An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to…

  • CVE-2025-52559Jul 2, 2025
    risk 0.00cvss epss 0.00

    Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a preview of what the email weekly digest would contain. This URL, though not the digest itself, contains a cross-site scripting (XSS)…

  • CVE-2025-30369Mar 31, 2025
    risk 0.00cvss epss 0.00

    Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an…

  • CVE-2025-30368Mar 31, 2025
    risk 0.00cvss epss 0.00

    Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of…

  • CVE-2024-56136Jan 16, 2025
    risk 0.00cvss epss 0.01

    Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulnerable to an information disclose attack, where, if a Zulip server is hosting multiple organizations, an unauthenticated user can make a request and…

  • CVE-2024-27286Mar 20, 2024
    risk 0.00cvss epss 0.01

    Zulip is an open-source team collaboration tool. When a user moves a Zulip message, they have the option to move all messages in the topic, move only subsequent messages as well, or move just a single message. If the user chose to just move one message, and was moving it from a…

  • CVE-2023-33186May 30, 2023
    risk 0.00cvss epss 0.01

    Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. The main development branch of Zulip Server from May 2, 2023 and later, including beta versions 7.0-beta1 and…

  • CVE-2023-32677May 19, 2023
    risk 0.00cvss epss 0.01

    Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows…

  • CVE-2022-36048Aug 31, 2022
    risk 0.00cvss epss 0.00

    Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could…

  • CVE-2022-31134Jul 12, 2022
    risk 0.00cvss epss 0.01

    Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to…

  • CVE-2022-31017Jun 25, 2022
    risk 0.00cvss epss 0.01

    Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when…

  • CVE-2022-23656Mar 2, 2022
    risk 0.00cvss epss 0.01

    Zulip is an open source team chat app. The `main` development branch of Zulip Server from June 2021 and later is vulnerable to a cross-site scripting vulnerability on the recent topics page. An attacker could maliciously craft a full name for their account and send messages to a…

  • CVE-2022-21706Feb 25, 2022
    risk 0.00cvss epss 0.01

    Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack…

Page 1 of 2