CVE-2025-25195 Zulip events can leak private channel names

Zulip is an open source team chat application. A weekly cron job added in 50256f48314250978f521ef439cafa704e056539 demotes channels to being "inactive" after they have not received traffic for 180 days. However, upon doing so, an event was sent to all users in the organization, not just users in...

Information disclosure

Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel...