How severe is CVE-2025-27149?

This vulnerability has a severity rating of MEDIUM with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2025-27149?

This is classified as CWE-497, which is a common weakness in software security.

CVE-2025-27149 - MEDIUM Severity | CVSS N/A

Vulnerability Description

Zulip server provides an open-source team chat that helps teams stay productive and focused. Prior to 10.0, the data export to organization administrators feature in Zulip leaks private data. The collection of user-agent types identifying specific integrations or HTTP libraries (E.g., ZulipGitlabWebhook, okhttp, or PycURL) that have been used to access any organization on the server was incorrectly included in all three export types, regardless of if they were used to access the exported organization or not. The "public data" and "with consent" exports metadata including the titles of some topics in private channels which the administrator otherwise did not have access to, and none of the users consented to exporting and metadata for which users were in a group DM together. This vulnerability is fixed in 10.0.

Related Vulnerabilities

CVE-2020-25179

CRITICAL

CVSS:9.8(Critical)

GE Healthcare Imaging and Ultrasound Products may allow specific credentials to be exposed during transport over the network.

CWE-4972020

CVE-2024-36554

CRITICAL

CVSS:9.8(Critical)

Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allow a malicious user to gain in...

CWE-4972024

CVE-2025-1144

CRITICAL

CVSS:9.8(Critical)

School Affairs System from Quanxun has an Exposure of Sensitive Information, allowing unauthenticated attackers to view specific pages and obtain database information as well as plaintext administrato...

CWE-4972025

CVE-2022-1902

HIGH

CVSS:8.8(High)

A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifier...

CWE-4972022

CVE-2024-39675

HIGH

CVSS:8.8(High)

A vulnerability has been identified in RUGGEDCOM RMC30 (All versions < V4.3.10), RUGGEDCOM RMC30NC (All versions < V4.3.10), RUGGEDCOM RP110 (All versions < V4.3.10), RUGGEDCOM RP110NC (All versions <...

CWE-4972024

CVE-2025-0061

HIGH

CVSS:8.7(High)

SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulne...

CWE-4972025