CVE-2025-52559 MEDIUM

CVE-2025-52559: Zulip XSS in digest preview URL

Vendor Zulip
Product zulip
Weakness CWE-79 · XSS
Published July 2, 2025
Last update July 2, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a preview of what the email weekly digest would contain. This URL, though not the digest itself, contains a cross-site scripting (XSS) vulnerability in both topic names and channel names. This issue has been fixed in Zulip Server 10.4. A workaround for this issue involves denying access to /digest/.

Key dates

02Disclosure timeline

July 2, 2025 CVE published
July 2, 2025 Record updated