Description
Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags
Published: 2026-03-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side code execution via XSS
Action: Apply Patch
AI Analysis

Impact

Seafile Server releases 13.0.15, 13.0.16‑pro, 12.0.14 and earlier contain stored cross‑site scripting weaknesses in the Seadoc editor. The application does not sanitize certain WebSocket messages that describe document structure updates, allowing an authenticated remote user to embed malicious JavaScript through the src attribute of an Excalidraw whiteboard or the href attribute of an anchor tag. When another user opens or edits the affected document, the injected script runs in the victim’s browser.

Affected Systems

The vulnerability affects Seafile Server from the vendor Seafile, including all community and professional editions up to and including version 13.0.15, 13.0.16‑pro, and 12.0.14. The issue was fixed in releases 13.0.17, 13.0.17‑pro, and 12.0.20‑pro, as well as later builds.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity, while the EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires a legitimate user to inject the payload into a Seadoc document; the attacker then relies on other users opening that document to trigger the injected code. The impact is limited to client-side code execution, which could affect the user’s browser session.

Generated by OpenCVE AI on March 31, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Seafile Server to a fixed release (13.0.17, 13.0.17‑pro, or 12.0.20‑pro) as soon as possible.
  • If an upgrade is not feasible, disable embedding of Excalidraw whiteboards or strip the src attribute of injected elements and the href attribute of anchor tags in shared Seadoc documents, or otherwise sanitize user‑supplied content.
  • Implement a Content Security Policy that blocks inline scripts and restricts script execution to trusted origins.
  • Monitor server logs for unusual WebSocket traffic or unexpected script insertion in documents and review shared content for suspicious changes.

Generated by OpenCVE AI on March 31, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rqj3-x344-qvxc Seafile Server has multiple stored XSS vulnerabilities
History

Tue, 31 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Seafile seafile Server
CPEs cpe:2.3:a:seafile:seafile_server:*:*:*:*:professional:*:*:*
cpe:2.3:a:seafile:seafile_server:13.0.15:*:*:*:community:*:*:*
cpe:2.3:a:seafile:seafile_server:13.0.16:*:*:*:professional:*:*:*
Vendors & Products Seafile seafile Server

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Seafile
Seafile seafile
Vendors & Products Seafile
Seafile seafile

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title Stored XSS via Unsanitized WebSocket Updates in Seafile Seadoc Editor Seafile Server: Seadoc editor: seahub: seadoc-editor: Seafile Server: Arbitrary client-side code execution via Stored Cross-Site Scripting in Seadoc editor
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Stored XSS via Unsanitized WebSocket Updates in Seafile Seadoc Editor
Weaknesses CWE-79

Wed, 25 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags
References

Subscriptions

Seafile Seafile Seafile Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T19:39:27.697Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30587

cve-icon Vulnrichment

Updated: 2026-03-27T19:39:24.909Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T18:16:31.793

Modified: 2026-03-31T18:56:49.457

Link: CVE-2026-30587

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-30587 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:22Z

Weaknesses