CVE-2026-24050
Unknown Unknown - Not Provided
Stored XSS in Zulip User Profiles via Group and Channel Names

Publication date: 2026-02-06

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting these vulnerabilities required the user explicitly interacting with the problematic object. This vulnerability is fixed in 11.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24050
EUVD
EUVD-2026-5640
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zulip zulip_server From 5.0 (inc) to 11.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24050 is a stored Cross-Site Scripting (XSS) vulnerability in the Zulip open-source team collaboration tool affecting versions from 5.0 up to but not including 11.5.

The vulnerability arises from administrative actions on the user profile that involve group names or channel names, which can contain malicious scripts. These scripts are stored and can be executed when a user explicitly interacts with the affected object.

The issue was fixed in version 11.5 by ensuring proper HTML escaping in error messages, preventing malicious HTML content from being injected and rendered in the user interface.

Impact Analysis

This vulnerability can allow an attacker to inject malicious scripts into group or channel names that are displayed in the user profile modal.

If a user interacts with these maliciously crafted objects, the injected scripts could execute in their browser context, potentially leading to unauthorized actions, data theft, or session hijacking within the Zulip application.

However, exploitation requires explicit user interaction with the problematic object, and the vulnerability is classified as low severity.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a stored Cross-Site Scripting (XSS) issue in Zulip versions 5.0 to before 11.5, affecting administrative actions on user profiles involving group names or channel names. Detection involves identifying if your Zulip instance is running a vulnerable version and if any user profile or administrative actions include suspicious or malicious scripts embedded in group or channel names.

Since the vulnerability requires user interaction with the problematic object, monitoring logs for unusual or unexpected script tags in group or channel names can help detect exploitation attempts.

There are no specific commands provided in the available resources to detect this vulnerability directly on the network or system.

Mitigation Strategies

The primary mitigation step is to upgrade your Zulip server to version 11.5 or later, where this stored XSS vulnerability has been fixed.

The fix involves proper HTML escaping in the client-side code, replacing unsafe translation functions with safe ones to prevent HTML injection in error messages related to group and channel management.

Until the upgrade is applied, avoid interacting with or administrating group names or channel names that may contain untrusted input, and educate users to be cautious about clicking on suspicious links or UI elements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24050. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart