Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags
AnalysisAI
Multiple stored cross-site scripting (XSS) vulnerabilities exist in Seafile Server's Seadoc (sdoc) editor that fail to sanitize WebSocket messages related to document structure updates. Authenticated remote attackers can inject malicious JavaScript payloads through the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags, affecting Seafile Server versions 13.0.15, 13.0.16-pro, 12.0.14 and prior. A proof-of-concept has been publicly disclosed on GitHub, and patches are available in versions 13.0.17, 13.0.17-pro, and 12.0.20-pro.
Technical ContextAI
The vulnerability resides in the Seadoc editor component of Seafile Server, which uses WebSocket communication to handle real-time document structure updates. The root cause is insufficient input validation and output encoding of user-supplied data within WebSocket messages, specifically for attributes in embedded elements like Excalidraw whiteboards (via src) and hyperlinks (via href). This is a classic stored XSS weakness (CWE-79: Improper Neutralization of Input During Web Page Generation) where user-controlled data is persisted in the document structure and later rendered in the browser without proper sanitization. The vulnerability affects Seafile's web-based collaborative editing infrastructure, which stores and transmits document modifications through WebSocket channels that bypass traditional HTTP request filtering.
RemediationAI
Immediately upgrade Seafile Server to version 13.0.17, 13.0.17-pro, or 12.0.20-pro depending on your deployment track. Refer to official Seafile changelogs at https://manual.seafile.com for version-specific upgrade instructions. Until patching is completed, restrict access to Seafile to trusted users and networks via firewall rules, monitor WebSocket traffic for suspicious attribute patterns (particularly src and href values containing JavaScript protocols), and review document revision history for signs of injection. Additionally, enforce Content Security Policy (CSP) headers with strict script-src directives to mitigate XSS impact even if payloads are injected. The GitHub commit references (https://github.com/haiwen/seahub/commit/4c5301747bdb84c64b2f2b3230417df2d1cc8987 and https://github.com/haiwen/seadoc-editor/commit/8fa988aaede072b2ae073d1b2edcb2fc691423b2) provide insight into the patch implementation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15940
GHSA-rqj3-x344-qvxc