CVE-2025-52559
- Source
- https://cve.org/CVERecord?id=CVE-2025-52559
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52559.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-52559
- Aliases
-
- GHSA-vgf2-vw4r-m663
- Published
- 2025-07-02T19:31:12.064Z
- Modified
- 2026-04-10T05:30:39.747977Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- Zulip XSS in digest preview URL
- Details
-
Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a preview of what the email weekly digest would contain. This URL, though not the digest itself, contains a cross-site scripting (XSS) vulnerability in both topic names and channel names. This issue has been fixed in Zulip Server 10.4. A workaround for this issue involves denying access to /digest/.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52559.json", "cwe_ids": [ "CWE-79" ], "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52559.json
- https://github.com/zulip/zulip/security/advisories/GHSA-vgf2-vw4r-m663
- https://nvd.nist.gov/vuln/detail/CVE-2025-52559
- https://github.com/zulip/zulip/commit/175ec1f365b0db982d6eac9019701cbf6e8bc2f2
- https://github.com/zulip/zulip/commit/1a8429e338ff53bdcc4b42e7e71b6fffdd84fcd1
- https://github.com/zulip/zulip/commit/6608c8777254e73a4b540e5e1c4af92e680a55fc
Affected packages
Git / github.com/zulip/zulip
Affected versions
10.*
10.0
10.0-beta1
10.0-beta2
10.1
10.2
10.3
2.*
2.0.0
2.0.0-rc1
2.1-dev
2.1.0
2.1.0-rc1
2.2-dev
3.*
3.0
3.0-dev
3.0-rc1
3.0-rc2
4.*
4.0
4.0-dev
5.*
5.0
5.0-dev
6.*
6.0
6.0-dev
7.*
7.0
7.0-beta3
7.0-dev
8.*
8.0
8.0-beta1
8.0-beta2
8.0-dev
9.*
9.0
9.0-beta1
9.0-dev
shared-0.*
shared-0.0.1
shared-0.0.10
shared-0.0.11
shared-0.0.12
shared-0.0.13
shared-0.0.14
shared-0.0.15
shared-0.0.16
shared-0.0.17
shared-0.0.18
shared-0.0.2
shared-0.0.3
shared-0.0.4
shared-0.0.5
shared-0.0.6
shared-0.0.7
shared-0.0.8
shared-0.0.9