CVE-2026-40300

all versions

Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v

6.5MEDIUM

CVE-2026-26058

>= 1.4.0 and <= 11.5

Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary fil

6.1MEDIUM

CVE-2026-25742

>= 1.4.0 and < 11.6

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From vers

5.3MEDIUM

CVE-2026-24050

>= 5.0 and < 11.5

Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were sus

5.4MEDIUM

CVE-2025-52559

>= 2.0.1 and < 10.4

Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a serve

6.8MEDIUM

CVE-2025-47930

>= 10.0 and < 10.3

Zulip is an open-source team chat application. Starting in version 10.0 and prior to version 10.3, the "Who can create public chan

5.3MEDIUM

CVE-2025-31478

< 10.2

Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being

8.2HIGH

CVE-2025-30369

>= 1.6.0 and < 10.1

Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restr

2.7LOW

CVE-2025-30368

all versions

Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organ

2.7LOW

CVE-2025-27149

>= 2.1.0 and < 10.0

Zulip server provides an open-source team chat that helps teams stay productive and focused. Prior to 10.0, the data export to org

2.7LOW

CVE-2024-56136

>= 7.0 and < 9.4

Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulner

5.3MEDIUM

CVE-2024-36612

>= 8.0 and <= 8.3

Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers.

7.5HIGH

CVE-2024-36624

all versions

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the construct_copy_div function in copy_and_paste.js.

5.4MEDIUM

CVE-2024-36625

all versions

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the replace_emoji_with_text function in ui_util.ts.

5.4MEDIUM

CVE-2024-27286

>= 3.0 and < 8.3

Zulip is an open-source team collaboration tool. When a user moves a Zulip message, they have the option to move all messages in t

6.5MEDIUM

CVE-2024-21630

>= 1.9.0 and < 6.2

Zulip is an open-source team collaboration tool. A vulnerability in version 8.0 is similar to CVE-2023-32677, but applies to multi

4.3MEDIUM

CVE-2023-47642

>= 1.3.0 and < 7.5

Zulip is an open-source team collaboration tool. It was discovered by the Zulip development team that active users who had previou

4.3MEDIUM

CVE-2023-32678

< 7.3

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subs

6.5MEDIUM

CVE-2023-33186

all versions

Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make

8.2HIGH

CVE-2023-28623

< 6.2

Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: ZulipLDAPAuthBackend and

6.5MEDIUM

CVE-2023-32677

< 6.2

Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to lim

3.1LOW

CVE-2023-22735

all versions

Zulip is an open-source team collaboration tool. In versions of zulip prior to commit 2f6c5a8 but after commit 04cf68b users c

4.4MEDIUM

CVE-2022-41914

>= 5.0 and < 5.7

Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity Management(SCIM) account

3.7LOW

CVE-2022-36048

< 5.6

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages

4.3MEDIUM

CVE-2022-35962

< 27.190

Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. In Zulip Mobile through version 27.189, a

8.0HIGH

CVE-2016-4427

< 1.3.12

In zulip before 1.3.12, deactivated users could access messages if SSO was enabled.

7.5HIGH

CVE-2016-4426

< 1.3.12

In zulip before 1.3.12, bot API keys were accessible to other users in the same realm.

4.3MEDIUM

CVE-2022-31168

< 5.5

Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an or

5.4MEDIUM

CVE-2022-31134

>= 2.1.0 and < 5.4

Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to

4.9MEDIUM

CVE-2022-31017

>= 2.1.0 and < 5.3

Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A strea

2.0LOW

CVE-2022-24751

>= 4.0 and < 4.11

Zulip is an open source group chat application. Starting with version 4.0 and prior to version 4.11, Zulip is vulnerable to a race

5.4MEDIUM

CVE-2022-23656

>= 2021-06-03 and < 2022-03-01

Zulip is an open source team chat app. The main development branch of Zulip Server from June 2021 and later is vulnerable to a c

4.6MEDIUM

CVE-2021-3967

< 4.10

Improper Access Control in GitHub repository zulip/zulip prior to 4.10.

8.8HIGH

CVE-2022-21706

>= 2.0.0 and < 4.10.0

Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to

7.2HIGH

CVE-2021-43799

< 4.9

Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip

8.6HIGH

CVE-2021-3866

<= 4.8

Cross-site Scripting (XSS) - Stored in GitHub repository zulip/zulip more than and including 44f935695d452cc3fb16845a0c6af710438b1

5.4MEDIUM

CVE-2021-43791

< 4.8

Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expi

6.5MEDIUM

CVE-2021-41115

< 4.7

Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure "

4.3MEDIUM

CVE-2021-30487

>= 3.0 and < 3.4

In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other

2.7LOW

CVE-2021-30479

< 3.4

An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in

5.3MEDIUM

CVE-2021-30478

< 3.4

An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_

4.3MEDIUM

CVE-2021-30477

< 3.4

An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks t

4.3MEDIUM

CVE-2020-10858

< 5.0.0

Zulip Desktop before 5.0.0 allows attackers to perform recording via the webcam and microphone due to a missing permission request

5.3MEDIUM

CVE-2020-10857

< 5.0.0

Zulip Desktop before 5.0.0 improperly uses shell.openExternal and shell.openItem with untrusted content, leading to remote code ex

9.8CRITICAL

CVE-2020-15070

< 2.1.7

Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres database,

8.8HIGH

CVE-2020-14215

< 2.1.5

Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrator role to

7.5HIGH

CVE-2020-14194

< 2.1.5

Zulip Server before 2.1.5 allows reverse tabnapping via a topic header link.

5.4MEDIUM

CVE-2020-12759

< 2.1.5

Zulip Server before 2.1.5 allows reflected XSS via the Dropbox webhook.

6.1MEDIUM

CVE-2020-9445

< 2.1.3

Zulip Server before 2.1.3 allows XSS via the modal_link feature in the Markdown functionality.

6.1MEDIUM

CVE-2020-9444

<= 2.1.3

Zulip Server before 2.1.3 allows reverse tabnabbing via the Markdown functionality.

6.1MEDIUM

CVE-2020-10935

< 2.1.3

Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover.

5.4MEDIUM

CVE-2019-19775

>= 1.9.0 and < 2.0.8

The image thumbnailing handler in Zulip Server versions 1.9.0 to before 2.0.8 allowed an open redirect that was visible to logged-

6.1MEDIUM

CVE-2019-18933

>= 1.7.0 and < 2.0.7

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their ac

9.8CRITICAL

CVE-2019-10476

<= 1.1.0

Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where

7.8HIGH

CVE-2019-16216

>= 1.8.0 and < 2.0.5

Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files. A user who is logged into the server could uplo

5.4MEDIUM

CVE-2019-16215

< 2.0.5

The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. A user who is l

6.5MEDIUM

CVE-2018-9999

< 1.7.2

In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backen

5.4MEDIUM

CVE-2018-9990

< 1.7.2

In Zulip Server versions before 1.7.2, there was an XSS issue with stream names in topic typeahead.

6.1MEDIUM

CVE-2018-9987

>= 1.5.0 and < 1.7.2

In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there was an XSS issue with muting notifications.

6.1MEDIUM

CVE-2018-9986

< 1.7.2

In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor.

6.1MEDIUM

CVE-2017-0910

< 1.7.1

In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user o

8.8HIGH

CVE-2017-0896

all versions

Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group ch

6.5MEDIUM

CVE-2017-0881

< 1.4.3

An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application se

4.3MEDIUM