Description
Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags
Published: 2026-03-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS causing code execution
Action: Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Seafile Server’s Seadoc editor. Malicious JavaScript can be injected into WebSocket messages that update document structure. Authenticated attackers can place scripts in either the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags. Once the document is loaded by a victim, the script runs in that user’s browser context, potentially stealing credentials, compromising sessions, or performing other client‑side attacks.

Affected Systems

Affected are Seafile Server releases 12.0.14 through 12.0.19 and 13.0.15 through 13.0.16‑pro (including early 13.0.x releases). The issue was addressed in 12.0.20‑pro, 13.0.17, and 13.0.17‑pro. Only versions prior to those fixes are vulnerable. The product is the Seafile Server, the file‑sharing and collaboration platform used by organizations.

Risk and Exploitability

The CVSS score of 5.4 ranks the flaw as moderate, while the EPSS score of less than 1 % suggests a low likelihood of current exploitation. Because the attack requires a legitimate user account to access a vulnerable document, the risk is confined to authenticated users. The flaw is not listed in CISA’s KEV catalog, implying no known widespread active exploitation. Nevertheless, any authenticated user can create or edit a document that contains the malicious payload, making the vulnerability suitable for targeted phishing or user‑specific attacks.

Generated by OpenCVE AI on March 27, 2026 at 21:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the Seafile Server version your organization uses.
  • If the version is 12.0.14–12.0.19 or 13.0.15–13.0.16‑pro, upgrade to at least 12.0.20‑pro or 13.0.17‑pro immediately.
  • After upgrading, review and clean any previously shared Seadoc documents that may contain embedded scripts or suspicious links.
  • Consider disabling the whiteboard embed feature or enforcing strict sanitization if an upgrade cannot be performed right away.
  • Monitor user activity for abnormal JavaScript execution or phishing attempts.

Generated by OpenCVE AI on March 27, 2026 at 21:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Seafile
Seafile seafile
Vendors & Products Seafile
Seafile seafile

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title Stored XSS via Unsanitized WebSocket Updates in Seafile Seadoc Editor Seafile Server: Seadoc editor: seahub: seadoc-editor: Seafile Server: Arbitrary client-side code execution via Stored Cross-Site Scripting in Seadoc editor
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Stored XSS via Unsanitized WebSocket Updates in Seafile Seadoc Editor
Weaknesses CWE-79

Wed, 25 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags
References

Subscriptions

Seafile Seafile
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T19:39:27.697Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30587

cve-icon Vulnrichment

Updated: 2026-03-27T19:39:24.909Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T18:16:31.793

Modified: 2026-03-27T20:16:29.710

Link: CVE-2026-30587

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-30587 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:46Z

Weaknesses