CVE-2026-26058 MEDIUM

CVE-2026-26058: Zulip: Path Traversal in Import

Vendor Zulip
Product zulip
Weakness CWE-22 · Path traversal
Published April 3, 2026
Last update April 6, 2026

CVSS base score

6.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6.

Key dates

02Disclosure timeline

April 3, 2026 CVE published
April 6, 2026 Record updated