Description
Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/zulip/zulip/security/advisories/GHSA-xm5c-c6mp-3956
X_Refsource_Misc x_refsource_misc
https://github.com/zulip/zulip/commit/2df49e7750ce3fc49ef1d44b1c4ece654d4b754c
Scores
CVSS v3
6.1
EPSS
0.0024
EPSS Percentile
14.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
zulip/zulip
1.4.0 - 11.5
zulip/zulip
>= 1.4.0, < 11.6
Published
Apr 03, 2026
Tracked Since
Apr 04, 2026