Vulnerability Description
Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting these vulnerabilities required the user explicitly interacting with the problematic object. This vulnerability is fixed in 11.5.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zulip | Zulip Server | >= 5.0, < 11.5 |
Related Weaknesses (CWE)
References
- https://github.com/zulip/zulip/commit/e6093d9e4788f4d82236d856c5ed7b16767886a7Patch
- https://github.com/zulip/zulip/releases/tag/11.5Release Notes
- https://github.com/zulip/zulip/security/advisories/GHSA-56qv-8823-6fq9Vendor Advisory
- https://zulip.readthedocs.io/en/latest/overview/changelog.html#zulip-server-11-5Release Notes
FAQ
What is CVE-2026-24050?
CVE-2026-24050 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting the...
How severe is CVE-2026-24050?
CVE-2026-24050 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-24050?
Check the references section above for vendor advisories and patch information. Affected products include: Zulip Zulip Server.