CVE-2026-24050
Stored XSS in Zulip User Profiles via Group and Channel Names
Publication date: 2026-02-06
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zulip | zulip_server | From 5.0 (inc) to 11.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24050 is a stored Cross-Site Scripting (XSS) vulnerability in the Zulip open-source team collaboration tool affecting versions from 5.0 up to but not including 11.5.
The vulnerability arises from administrative actions on the user profile that involve group names or channel names, which can contain malicious scripts. These scripts are stored and can be executed when a user explicitly interacts with the affected object.
The issue was fixed in version 11.5 by ensuring proper HTML escaping in error messages, preventing malicious HTML content from being injected and rendered in the user interface.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to inject malicious scripts into group or channel names that are displayed in the user profile modal.
If a user interacts with these maliciously crafted objects, the injected scripts could execute in their browser context, potentially leading to unauthorized actions, data theft, or session hijacking within the Zulip application.
However, exploitation requires explicit user interaction with the problematic object, and the vulnerability is classified as low severity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in Zulip versions 5.0 to before 11.5, affecting administrative actions on user profiles involving group names or channel names. Detection involves identifying if your Zulip instance is running a vulnerable version and if any user profile or administrative actions include suspicious or malicious scripts embedded in group or channel names.
Since the vulnerability requires user interaction with the problematic object, monitoring logs for unusual or unexpected script tags in group or channel names can help detect exploitation attempts.
There are no specific commands provided in the available resources to detect this vulnerability directly on the network or system.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade your Zulip server to version 11.5 or later, where this stored XSS vulnerability has been fixed.
The fix involves proper HTML escaping in the client-side code, replacing unsafe translation functions with safe ones to prevent HTML injection in error messages related to group and channel management.
Until the upgrade is applied, avoid interacting with or administrating group names or channel names that may contain untrusted input, and educate users to be cautious about clicking on suspicious links or UI elements.