MEDIUM🇬🇧 English

CVE-2026-26058

CVSS 6.1v3.1pub. 2026-04-03upd. 2026-04-22

Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6.

oryginał EN
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
  • Zulip

    APP
    Zulip
    1.4.0 – 11.5
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Path Traversal
CWE
Referencje

Powiązane podatności

CVE-2022-35962HIGH8.0ten sam produkt

Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. In Zulip Mobile throug...

CVE-2016-4427HIGH7.5ten sam produkt

In zulip before 1.3.12, deactivated users could access messages if SSO was enabled.

CVE-2021-3967HIGH8.8ten sam produkt

Improper Access Control in GitHub repository zulip/zulip prior to 4.10.

CVE-2021-43799HIGH8.6ten sam produkt

Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. ...

CVE-2026-25742MEDIUM5.3ten sam produkt

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collabora...