CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 2026/05/12 5:16 p.m.•11 views

CVE-2026-40300

6.5CVSS0.00247EPSS

EUVD•added 2026/05/12 4:33 p.m.•7 views

EUVD-2026-29537

ATTACKERKB•added 2026/05/12 4:33 p.m.•4 views

CVE-2026-40300

Exploits1References2Affected Software1

Vulnrichment•added 2026/05/12 4:33 p.m.•4 views

CVE-2026-40300 Zulip: Message edit history visible in "moves only" policy through /api/v1/messages/{id}/history

Cvelist•added 2026/05/12 4:33 p.m.•30 views

CVE-2026-40300 Zulip: Message edit history visible in "moves only" policy through /api/v1/messages/{id}/history

6CVSS0.00247EPSS

CVE•added 2026/05/12 4:33 p.m.•12 views

CVE-2026-40300

Summary of vulnerability (CVE-2026-40300) Affected software: Zulip open-source team collaboration tool (prior to version 12.0). Root cause: When message_edit_history_visibility_policy is set to the value "moves", the endpoint /api/v1/messages/{id}/history continues to return historical content va...

6.5CVSS5.8AI score0.00247EPSS

Exploits1References1Affected Software1

CNNVD•added 2026/05/12 12:0 a.m.•7 views

Zulip 访问控制错误漏洞

Zulip is a powerful open-source chat application developed by the US company Zulip. It combines the immediacy of real-time conversations with the productivity benefits of threaded dialogue. Prior to Zulip 12.0, there was an access control vulnerability. This vulnerability occurred when...

6.5CVSS5.8AI score0.00247EPSS

Positive Technologies•added 2026/05/12 12:0 a.m.•11 views

PT-2026-40100

Zulip is an open-source team collaboration tool. Prior to 12.0, With message edit history visibility policy set to "moves", /api/v1/messages/id/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This...

The Hacker News•added 2026/05/07 9:20 a.m.•19 views

PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux

Cybersecurity researchers have discovered three packages on the Python Package Index PyPI repository that are designed to stealthily deliver a previously unknown malware family called ZiChatBot on Windows and Linux systems. "While these wheel packages do implement the features described on their...

6AI score

Exploits0

Securelist•added 2026/05/06 1:0 p.m.•4 views

OceanLotus suspected of using PyPI to deliver ZiChatBot malware

Introduction Through our daily threat hunting, we noticed that, beginning in July 2025, a series of malicious wheel packages were uploaded to PyPI the Python Package Index. We shared this information with the public security community, and the malware was removed from the repository. We submitted...

6.1AI score

Exploits0

RedhatCVE•added 2026/04/06 10:57 a.m.•2 views

CVE-2026-25742

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access enablespectatoraccess / WEBPUBLICSTREAMSENABLED is disabled, attachments originating from web-public...

5.3CVSS5.8AI score0.00312EPSS

RedhatCVE•added 2026/04/06 10:57 a.m.•4 views

CVE-2026-26058

Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the...

NVD•added 2026/04/03 9:17 p.m.•4 views

CVE-2026-25742

5.3CVSS0.00312EPSS

Exploits1References4

NVD•added 2026/04/03 9:17 p.m.•1 views

CVE-2026-26058

6.1CVSS0.00237EPSS

Cvelist•added 2026/04/03 8:59 p.m.•20 views

CVE-2026-26058 Zulip: Path Traversal in Import

6.1CVSS0.00237EPSS

EUVD•added 2026/04/03 8:59 p.m.•0 views

EUVD-2026-18838

Vulnrichment•added 2026/04/03 8:59 p.m.•1 views

CVE-2026-26058 Zulip: Path Traversal in Import

CVE•added 2026/04/03 8:59 p.m.•8 views

CVE-2026-26058

Zulip (open-source team collaboration tool) is affected in versions 1.4.0 up to, but not including, 11.6. The vulnerability arises in the import path where ./manage.py import can read arbitrary server files due to path traversal in uploads/records.json. A crafted export tarball can cause the serv...