Skip to main content

Seafile Server EUVDEUVD-2026-15940

| CVE-2026-30587 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 mitre GHSA-rqj3-x344-qvxc
8.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
SUSE
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Red Hat
6.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 17:47 euvd
EUVD-2026-15940
Analysis Generated
Mar 25, 2026 - 17:47 vuln.today
CVE Published
Mar 25, 2026 - 00:00 nvd
HIGH 8.7

DescriptionCVE.org

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags

AnalysisAI

Multiple stored cross-site scripting (XSS) vulnerabilities exist in Seafile Server's Seadoc (sdoc) editor that fail to sanitize WebSocket messages related to document structure updates. Authenticated remote attackers can inject malicious JavaScript payloads through the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags, affecting Seafile Server versions 13.0.15, 13.0.16-pro, 12.0.14 and prior. A proof-of-concept has been publicly disclosed on GitHub, and patches are available in versions 13.0.17, 13.0.17-pro, and 12.0.20-pro.

Technical ContextAI

The vulnerability resides in the Seadoc editor component of Seafile Server, which uses WebSocket communication to handle real-time document structure updates. The root cause is insufficient input validation and output encoding of user-supplied data within WebSocket messages, specifically for attributes in embedded elements like Excalidraw whiteboards (via src) and hyperlinks (via href). This is a classic stored XSS weakness (CWE-79: Improper Neutralization of Input During Web Page Generation) where user-controlled data is persisted in the document structure and later rendered in the browser without proper sanitization. The vulnerability affects Seafile's web-based collaborative editing infrastructure, which stores and transmits document modifications through WebSocket channels that bypass traditional HTTP request filtering.

RemediationAI

Immediately upgrade Seafile Server to version 13.0.17, 13.0.17-pro, or 12.0.20-pro depending on your deployment track. Refer to official Seafile changelogs at https://manual.seafile.com for version-specific upgrade instructions. Until patching is completed, restrict access to Seafile to trusted users and networks via firewall rules, monitor WebSocket traffic for suspicious attribute patterns (particularly src and href values containing JavaScript protocols), and review document revision history for signs of injection. Additionally, enforce Content Security Policy (CSP) headers with strict script-src directives to mitigate XSS impact even if payloads are injected. The GitHub commit references (https://github.com/haiwen/seahub/commit/4c5301747bdb84c64b2f2b3230417df2d1cc8987 and https://github.com/haiwen/seadoc-editor/commit/8fa988aaede072b2ae073d1b2edcb2fc691423b2) provide insight into the patch implementation.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-15940 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy