EUVD-2026-15940
GHSA-rqj3-x344-qvxc
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
4Tags
Description
Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags
Analysis
Multiple stored cross-site scripting (XSS) vulnerabilities exist in Seafile Server's Seadoc (sdoc) editor that fail to sanitize WebSocket messages related to document structure updates. Authenticated remote attackers can inject malicious JavaScript payloads through the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags, affecting Seafile Server versions 13.0.15, 13.0.16-pro, 12.0.14 and prior. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running Seafile Server and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today