CVE-2026-24050 LOW

CVE-2026-24050: Zulip affected by Stored XSS in user profile modal

Vendor Zulip
Product zulip
Weakness CWE-79 · XSS
Published February 6, 2026
Last update February 9, 2026

CVSS base score

1.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

What the vulnerability does

01Description

Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting these vulnerabilities required the user explicitly interacting with the problematic object. This vulnerability is fixed in 11.5.

Key dates

02Disclosure timeline

February 6, 2026 CVE published
February 9, 2026 Record updated

Related vulnerabilities

04Related CVE