Zulip server

This hub aggregates every CVE we track for Zulip server, a product in the enterprise software space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Zulip server.

• CVE-2026-40300Zulip: Message edit history visible in "moves only" policy through /api/v1/messages/{id}/history6.5May 12, 2026
• CVE-2026-24050Zulip affected by Stored XSS in user profile modal5.4Feb 6, 2026
• CVE-2025-52559Zulip XSS in digest preview URL6.8Jul 2, 2025
• CVE-2025-31478Zulip Authentication Backend Configuration Bypass8.2Apr 16, 2025
• CVE-2025-30369Zulip allows the deletion of Custom profile fields by administrators of a different organization2.7Mar 31, 2025
• CVE-2025-27149Zulip exports can leak private data2.7Mar 31, 2025
• CVE-2024-56136/api/v1/jwt/fetch_api_key endpoint can leak if an email address has an account in Zulip server5.3Jan 16, 2025
• CVE-2024-36612Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers.7.5Nov 29, 2024
• CVE-2024-27286Moving single messages from public to private streams leaves them accessible6.5Mar 20, 2024
• CVE-2024-21630Zulip non-admins can invite new users to streams they would not otherwise be able to add existing users to4.3Jan 25, 2024
• CVE-2023-47642Stream description leaks to ex-subscribers in Zulip4.3Nov 16, 2023
• CVE-2023-32678Zulip vulnerable to insufficient authorization check for edition/deletion of messages and topics in private streams by former subscribers6.5Aug 25, 2023
• CVE-2023-33186Cross-site scripting vulnerability in Zulip Server development branch via topic tooltip8.2May 30, 2023
• CVE-2023-22735User uploads proxied from S3 lack `Content-Security-Policy` headers, may be served with `Content-Disposition: inline` in zulip4.4Feb 7, 2023
• CVE-2022-41914Non-constant-time SCIM token comparison in Zulip Server3.7Nov 16, 2022