Skip to main content

SeaweedFS CVE-2026-58371

| EUVDEUVD-2026-40359 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-30 VulnCheck GHSA-7cpf-frp7-pm75
2.3
CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

Network-delivered JSONP attack requires victim browser network access (AV:N) and visiting attacker page (UI:R, AC:H); no auth on endpoints (PR:N); only cluster metadata confidentiality impact (C:L), no integrity or availability effect.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 17:24 vuln.today
CVSS changed
Jun 30, 2026 - 17:22 NVD
3.1 (LOW) 2.3 (LOW)

DescriptionCVE.org

SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper (weed/server/common.go), with no callback-name validation, no X-Content-Type-Options: nosniff header, and no CORS allow-list. Every JSON endpoint that uses writeJson - including the unauthenticated master endpoints /dir/status, /dir/lookup and /cluster/status, the volume server /status, and the filer directory listing, all reachable in the default configuration (no -whiteList, no security.toml, bound to 0.0.0.0) - can therefore be loaded cross-origin via a script tag with a chosen callback, letting a third-party web page read cluster topology, volume server URLs and gRPC ports, file identifiers, and directory listings. Because the callback string is reflected at the start of the body and no nosniff header is sent, MIME-sniffing clients may also interpret the reflected content as HTML.

AnalysisAI

Unvalidated JSONP callback reflection in SeaweedFS before 4.30 enables cross-origin reads of cluster topology, volume server URLs, gRPC ports, file identifiers, and directory listings from unauthenticated endpoints reachable in the default deployment configuration. The shared writeJson helper in weed/server/common.go concatenates the callback query parameter verbatim into application/javascript responses with no allowlist validation, no X-Content-Type-Options: nosniff header, and no CORS policy, allowing attacker-controlled pages to load these endpoints via script tags and receive cluster metadata through the injected callback. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts malicious page with injected script tag
Delivery
Victim browses to attacker-controlled page
Exploit
Browser issues cross-origin GET to SeaweedFS endpoint with attacker-chosen callback parameter
Execution
SeaweedFS reflects callback verbatim in application/javascript response
Persist
Callback function executes in victim browser context
Impact
Cluster topology and file metadata exfiltrated to attacker-controlled server

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim user's browser can reach the SeaweedFS master, volume server, or filer over the network - the default configuration binds to `0.0.0.0` with no `-whiteList` flag and no `security.toml`, satisfying this condition without any additional misconfiguration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.3 (AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N) accurately represents low immediate severity: exploitation requires victim user interaction and that the victim's browser can reach the SeaweedFS instance, introducing meaningful real-world friction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious web page containing a script tag such as `<script src='http://internal-seaweedfs:9333/dir/status?callback=exfil'></script>` along with a globally defined `exfil` function that forwards received data to an attacker-controlled server. When an internal employee whose browser can reach the SeaweedFS master visits the attacker's page, the browser loads the endpoint as a script; SeaweedFS returns `exfil({...cluster topology JSON...})`, which executes in the page context and transmits cluster metadata to the attacker. …
Remediation The primary fix is to upgrade SeaweedFS to version 4.30 or later; the patch was introduced via commit 77dcb20a7485074d37340985d53103f94538abe6 (PR #9686, release at https://github.com/seaweedfs/seaweedfs/releases/tag/4.30) and adds callback-name validation and the missing `X-Content-Type-Options: nosniff` header to `writeJson`. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy