Description
Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting these vulnerabilities required the user explicitly interacting with the problematic object. This vulnerability is fixed in 11.5.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/zulip/zulip/security/advisories/GHSA-56qv-8823-6fq9
Patch x_refsource_misc
https://github.com/zulip/zulip/commit/e6093d9e4788f4d82236d856c5ed7b16767886a7
Release Notes x_refsource_misc
https://github.com/zulip/zulip/releases/tag/11.5
Various Sources x_refsource_misc
https://zulip.readthedocs.io/en/latest/overview/changelog.html#zulip-server-11-5
Scores
CVSS v3
5.4
EPSS
0.0002
EPSS Percentile
3.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
zulip/zulip_server
5.0 - 11.5
Published
Feb 06, 2026
Tracked Since
Feb 18, 2026