{ "affected": [ { "ranges": [ { "events": [ { "introduced": "edb50cbf2ccbaebfa8ffb54a096e4d319435b06e" }, { "fixed": "ad6867b6cc1e5eac5a005f51cadf870317f5a948" } ], "repo": "https://github.com/zulip/zulip", "type": "GIT" } ] } ], "aliases": [ "GHSA-vgf2-vw4r-m663" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52559.json" }, "details": "Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a preview of what the email weekly digest would contain. This URL, though not the digest itself, contains a cross-site scripting (XSS) vulnerability in both topic names and channel names. This issue has been fixed in Zulip Server 10.4. A workaround for this issue involves denying access to /digest/.", "id": "CVE-2025-52559", "modified": "2026-04-01T23:08:30.717979279Z", "published": "2025-07-02T19:31:12.064Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52559.json" }, { "type": "ADVISORY", "url": "https://github.com/zulip/zulip/security/advisories/GHSA-vgf2-vw4r-m663" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52559" }, { "type": "FIX", "url": "https://github.com/zulip/zulip/commit/175ec1f365b0db982d6eac9019701cbf6e8bc2f2" }, { "type": "FIX", "url": "https://github.com/zulip/zulip/commit/1a8429e338ff53bdcc4b42e7e71b6fffdd84fcd1" }, { "type": "FIX", "url": "https://github.com/zulip/zulip/commit/6608c8777254e73a4b540e5e1c4af92e680a55fc" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Zulip XSS in digest preview URL" }