Every CVE whose affected-product data names Zulip Zulip Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (40)
CVE-2019-18933 — CVSS 9.8 (critical): In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account…
CVE-2017-0910 — CVSS 8.8 (high): In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one…
CVE-2020-15070 — CVSS 8.8 (high): Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres database, and…
CVE-2025-31478 — CVSS 8.2 (high): Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to…
CVE-2023-33186 — CVSS 8.2 (high): Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote…
CVE-2020-14215 — CVSS 7.5 (high): Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrator role to…
CVE-2022-21706 — CVSS 7.2 (high): Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to…
CVE-2025-52559 — CVSS 6.8 (medium): Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a…
CVE-2023-32678 — CVSS 6.5 (medium): Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subscribed to…
CVE-2017-0896 — CVSS 6.5 (medium): Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat…
CVE-2019-16215 — CVSS 6.5 (medium): The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. A user who is logged…
CVE-2026-40300 — CVSS 6.5 (medium): Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves"…
CVE-2024-27286 — CVSS 6.5 (medium): Zulip is an open-source team collaboration tool. When a user moves a Zulip message, they have the option to move all messages in the topic…
CVE-2018-9986 — CVSS 6.1 (medium): In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor.
CVE-2019-19775 — CVSS 6.1 (medium): The image thumbnailing handler in Zulip Server versions 1.9.0 to before 2.0.8 allowed an open redirect that was visible to logged-in users.
CVE-2026-24050 — CVSS 5.4 (medium): Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible…
CVE-2019-16216 — CVSS 5.4 (medium): Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files. A user who is logged into the server could upload files…
CVE-2018-9999 — CVSS 5.4 (medium): In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend.
CVE-2021-30479 — CVSS 5.3 (medium): An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest…
CVE-2024-56136 — CVSS 5.3 (medium): Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulnerable to…
CVE-2022-31134 — CVSS 4.9 (medium): Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server…
CVE-2022-23656 — CVSS 4.6 (medium): Zulip is an open source team chat app. The `main` development branch of Zulip Server from June 2021 and later is vulnerable to a cross-site…
CVE-2023-22735 — CVSS 4.4 (medium): Zulip is an open-source team collaboration tool. In versions of zulip prior to commit `2f6c5a8` but after commit `04cf68b` users could…
CVE-2021-30477 — CVSS 4.3 (medium): An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private…
CVE-2017-0881 — CVSS 4.3 (medium): An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server…
CVE-2021-30478 — CVSS 4.3 (medium): An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously…
CVE-2023-47642 — CVSS 4.3 (medium): Zulip is an open-source team collaboration tool. It was discovered by the Zulip development team that active users who had previously been…
CVE-2024-21630 — CVSS 4.3 (medium): Zulip is an open-source team collaboration tool. A vulnerability in version 8.0 is similar to CVE-2023-32677, but applies to multi-use…
CVE-2022-41914 — CVSS 3.7 (low): Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity Management(SCIM) account…
CVE-2021-30487 — CVSS 2.7 (low): In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other…
CVE-2025-30369 — CVSS 2.7 (low): Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to…
CVE-2025-27149 — CVSS 2.7 (low): Zulip server provides an open-source team chat that helps teams stay productive and focused. Prior to 10.0, the data export to organization…