EUVD-2025-4083

Malicious code in bioql PyPI...

EUVD-2022-29586

Malicious code in bioql PyPI...

CVE-2025-52559

Zulip Server contains an XSS vulnerability in the /digest/ URL that previews weekly digests, affecting topic and channel names. Affected versions are Zulip Server 2.0.0-rc1 through before 10.4. The issue is fixed in Zulip Server 10.4. Workarounds include denying access to /digest/ until updated. ...

CVE-2022-24751

Zulip is an open source group chat application. Starting with version 4.0 and prior to version 4.11, Zulip is vulnerable to a race condition during account deactivation, where a simultaneous access by the user being deactivated may, in rare cases, allow continued access by the deactivated user. A...

CVE-2021-43791

Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a...

CVE-2025-47930

Zulip is an open-source team chat application. Starting in version 10.0 and prior to version 10.3, the "Who can create public channels" access control mechanism can be circumvented by creating a private or web-public channel, and then changing the channel privacy to public. A similar technique...

CVE-2025-25195 Zulip events can leak private channel names

Zulip is an open source team chat application. A weekly cron job added in 50256f48314250978f521ef439cafa704e056539 demotes channels to being "inactive" after they have not received traffic for 180 days. However, upon doing so, an event was sent to all users in the organization, not just users in...