{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26058", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-10T18:01:31.899Z", "datePublished": "2026-04-03T20:59:08.941Z", "dateUpdated": "2026-04-06T13:11:57.089Z"}, "containers": {"cna": {"title": "Zulip: Path Traversal in Import", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zulip/zulip/security/advisories/GHSA-xm5c-c6mp-3956", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-xm5c-c6mp-3956"}, {"name": "https://github.com/zulip/zulip/commit/2df49e7750ce3fc49ef1d44b1c4ece654d4b754c", "tags": ["x_refsource_MISC"], "url": "https://github.com/zulip/zulip/commit/2df49e7750ce3fc49ef1d44b1c4ece654d4b754c"}], "affected": [{"vendor": "zulip", "product": "zulip", "versions": [{"version": ">= 1.4.0, < 11.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T20:59:08.941Z"}, "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6."}], "source": {"advisory": "GHSA-xm5c-c6mp-3956", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T13:11:46.572421Z", "id": "CVE-2026-26058", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:11:57.089Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26058", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T13:11:46.572421Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:11:52.739Z"}}], "cna": {"title": "Zulip: Path Traversal in Import", "source": {"advisory": "GHSA-xm5c-c6mp-3956", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "zulip", "product": "zulip", "versions": [{"status": "affected", "version": ">= 1.4.0, < 11.6"}]}], "references": [{"url": "https://github.com/zulip/zulip/security/advisories/GHSA-xm5c-c6mp-3956", "name": "https://github.com/zulip/zulip/security/advisories/GHSA-xm5c-c6mp-3956", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/zulip/zulip/commit/2df49e7750ce3fc49ef1d44b1c4ece654d4b754c", "name": "https://github.com/zulip/zulip/commit/2df49e7750ce3fc49ef1d44b1c4ece654d4b754c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T20:59:08.941Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26058", "state": "PUBLISHED", "dateUpdated": "2026-04-06T13:11:57.089Z", "dateReserved": "2026-02-10T18:01:31.899Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T20:59:08.941Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6."}], "id": "CVE-2026-26058", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T21:17:10.230", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/zulip/zulip/commit/2df49e7750ce3fc49ef1d44b1c4ece654d4b754c"}, {"source": "security-advisories@github.com", "url": "https://github.com/zulip/zulip/security/advisories/GHSA-xm5c-c6mp-3956"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.4.0,11.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zulip", "source": "cna", "vendor": "zulip"}, "product": "zulip", "vendor": "zulip"}], "analysis": {"en": {"generated_at": "2026-04-03T23:51:20.737197+00:00", "value": {"mitigation_remediation": ["Upgrade Zulip to version 11.6 or newer.", "Restrict the import endpoint to trusted users or networks."], "summary": {"action": "Apply Patch", "impact": "Read arbitrary server files"}, "threat_synthesis": {"affected_systems": "All releases of Zulip from version 1.4.0 up to, but not including, 11.6 are affected. The flaw is triggered by the ./manage.py import command or the web interface that performs the same import operation. Any installation that allows import of export tarballs is vulnerable. The issue was fixed in Zulip 11.6.", "description_and_impact": "This vulnerability is a path traversal flaw (CWE\u201122) in the Zulip import feature. When an export tarball is imported, the server processes the uploads/records.json file without sanitizing file paths. An attacker can craft a tarball that references files outside the intended directory, causing the Zulip process, which runs under the zulip user, to copy any readable file into the uploads directory. The result is unauthorized disclosure of arbitrary server files.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to supply a crafted import tarball and trigger the import, typically available to administrators or authenticated users with import privileges. Once successful, the attacker can read any file that the zulip user can access, potentially revealing sensitive configuration data or credentials, which could facilitate further attacks."}}}}, "created": "2026-04-06T21:22:35.830177+00:00", "updated": "2026-04-06T22:22:13.797698+00:00", "vendors": ["zulip", "zulip$PRODUCT$zulip"]}