Login Sign Up

CVE-2026-24050

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in Zulip allows attackers to inject malicious scripts into group or channel names. When administrators perform user profile actions, these scripts execute in victims' browsers. All Zulip instances running versions 5.0 through 11.4 are affected.

💻 Affected Systems

Products:
  • Zulip
Versions: 5.0 to 11.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires administrator interaction with malicious group/channel names during user profile management.

📦 What is this software?

Zulip Server by Zulip

View all CVEs affecting Zulip Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as administrators, or deploy malware to users' systems through browser exploitation.

🟠

Likely Case

Session hijacking of administrators, unauthorized access to sensitive team data, or defacement of the collaboration platform.

🟢

If Mitigated

Limited impact due to required user interaction with malicious objects and typical same-origin policy protections.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to create groups/channels and administrator interaction with those objects.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.5

Vendor Advisory: https://github.com/zulip/zulip/security/advisories/GHSA-56qv-8823-6fq9

Restart Required: Yes

Instructions:

1. Backup your Zulip instance. 2. Upgrade to Zulip 11.5 using: ./scripts/upgrade-zulip-from-git 11.5. 3. Restart Zulip services: ./scripts/restart-server. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Input Sanitization Enhancement

all

Implement additional input validation for group and channel names to reject HTML/JavaScript content.

Content Security Policy

all

Implement strict CSP headers to mitigate XSS impact by restricting script execution sources.

🧯 If You Can't Patch

  • Restrict group and channel creation permissions to trusted users only.
  • Monitor administrator actions for unusual patterns and implement user education about suspicious content.

🔍 How to Verify

Check if Vulnerable:

Check Zulip version: cat /home/zulip/deployments/current/version.py | grep ZULIP_VERSION

Check Version:

cat /home/zulip/deployments/current/version.py | grep ZULIP_VERSION

Verify Fix Applied:

Confirm version is 11.5 or higher and test that HTML/JavaScript in group names is properly sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual group/channel name patterns containing script tags
  • Administrator session anomalies

Network Indicators:

  • Unexpected outbound connections from Zulip server during administrative actions

SIEM Query:

source="zulip.log" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2026-24050
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.06% exploit probability (17.6th percentile)
Published: February 6, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24050, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)