CVE-2026-26058 — MEDIUM (6.1)

Q: How severe is CVE-2026-26058?

CVE-2026-26058 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-26058?

Check the references section above for vendor advisories and patch information. Affected products include: Zulip Zulip.

Vulnerability Description

Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Zulip	Zulip	>= 1.4.0, <= 11.5

Related Weaknesses (CWE)

CWE-22

References

https://github.com/zulip/zulip/commit/2df49e7750ce3fc49ef1d44b1c4ece654d4b754cPatch
https://github.com/zulip/zulip/security/advisories/GHSA-xm5c-c6mp-3956ExploitVendor Advisory

FAQ

What is CVE-2026-26058?

CVE-2026-26058 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.js...

How severe is CVE-2026-26058?

CVE-2026-26058 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-26058?

Check the references section above for vendor advisories and patch information. Affected products include: Zulip Zulip.