{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30587", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-25T17:05:27.741Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T17:05:27.741Z"}, "descriptions": [{"lang": "en", "value": "Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gist.github.com/gabdevele/1b7e30ab367b26042fa32f45aa12ce2f"}, {"url": "https://manual.seafile.com/13.0/changelog/server-changelog/"}, {"url": "https://manual.seafile.com/13.0/changelog/changelog-for-seafile-professional-server/"}, {"url": "https://manual.seafile.com/12.0/changelog/changelog-for-seafile-professional-server/"}, {"url": "https://github.com/haiwen/seahub/commit/4c5301747bdb84c64b2f2b3230417df2d1cc8987"}, {"url": "https://github.com/haiwen/seadoc-editor/commit/8fa988aaede072b2ae073d1b2edcb2fc691423b2"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags"}], "id": "CVE-2026-30587", "lastModified": "2026-03-25T18:16:31.793", "metrics": {}, "published": "2026-03-25T18:16:31.793", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/gabdevele/1b7e30ab367b26042fa32f45aa12ce2f"}, {"source": "cve@mitre.org", "url": "https://github.com/haiwen/seadoc-editor/commit/8fa988aaede072b2ae073d1b2edcb2fc691423b2"}, {"source": "cve@mitre.org", "url": "https://github.com/haiwen/seahub/commit/4c5301747bdb84c64b2f2b3230417df2d1cc8987"}, {"source": "cve@mitre.org", "url": "https://manual.seafile.com/12.0/changelog/changelog-for-seafile-professional-server/"}, {"source": "cve@mitre.org", "url": "https://manual.seafile.com/13.0/changelog/changelog-for-seafile-professional-server/"}, {"source": "cve@mitre.org", "url": "https://manual.seafile.com/13.0/changelog/server-changelog/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{"bugzilla": {"description": "Seafile Server: Seadoc editor: seahub: seadoc-editor: Seafile Server: Arbitrary client-side code execution via Stored Cross-Site Scripting in Seadoc editor", "id": "2451404", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451404"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in Seafile Server and its Seadoc editor. This Stored Cross-Site Scripting (XSS) vulnerability allows authenticated remote attackers to inject malicious JavaScript code. The application fails to properly sanitize WebSocket messages during document structure updates. By exploiting this, an attacker can execute arbitrary client-side scripts, potentially leading to information disclosure or unauthorized actions within a user's browser."], "name": "CVE-2026-30587", "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30587\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30587\nhttps://gist.github.com/gabdevele/1b7e30ab367b26042fa32f45aa12ce2f\nhttps://github.com/haiwen/seadoc-editor/commit/8fa988aaede072b2ae073d1b2edcb2fc691423b2\nhttps://github.com/haiwen/seahub/commit/4c5301747bdb84c64b2f2b3230417df2d1cc8987\nhttps://manual.seafile.com/12.0/changelog/changelog-for-seafile-professional-server/\nhttps://manual.seafile.com/13.0/changelog/changelog-for-seafile-professional-server/\nhttps://manual.seafile.com/13.0/changelog/server-changelog/"], "statement": "This MODERATE stored XSS vulnerability in Seafile Server's Seadoc editor allows authenticated users to inject malicious scripts via unsanitized WebSocket messages. Exploitation requires low privileges (any authenticated user) and user interaction (victim views document). Impact is high to confidentiality and integrity. Affects Seafile Server 13.0.15, 13.0.16-pro, 12.0.14 and prior. Fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T20:11:51.054772+00:00", "value": {"mitigation_remediation": ["Upgrade Seafile Server to version 13.0.17 or newer, 13.0.17\u2011pro, 12.0.20\u2011pro, or a later release that includes the fix.", "If an upgrade cannot be performed immediately, disable the Seadoc editor or restrict the use of Excalidraw whiteboards to trusted users only.", "Limit document editing and viewing permissions to a minimal trusted user set to reduce the window of opportunity for injection.", "Monitor WebSocket traffic and audit logs for unexpected src or href values that may indicate injection attempts.", "Regularly consult Seafile\u2019s official website or release notes for further updates or recommended mitigations."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects Seafile Server releases 13.0.15, 13.0.16\u2011pro, 12.0.14 and all earlier versions. The issue was fixed in releases 13.0.17, 13.0.17\u2011pro, 12.0.20\u2011pro and newer. Any installation using the Seadoc editor component prior to these patch versions is vulnerable.", "description_and_impact": "Seafile Server contains multiple stored cross\u2011site scripting flaws that arise when the Seadoc (sdoc) editor processes WebSocket messages describing document changes without properly sanitizing user supplied input. The vulnerability allows an authenticated attacker to embed malicious JavaScript by inserting a payload into the src attribute of an Excalidraw whiteboard or the href attribute of an anchor tag. When a victim opens or views the compromised document, the script executes in the victim\u2019s browser with the victim\u2019s credentials, potentially leading to session hijacking, cookie theft, or defacement of the user interface.", "risk_and_exploitability": "Exploitation requires the attacker to be authenticated to the target instance and to have editing or viewing rights on the affected document. No publicly available exploit is known and an EPSS score is not provided, indicating a moderate likelihood of exploitation in realistic scenarios. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can deliver the malicious payload over the WebSocket channel, so the attack vector is client\u2011side within the browser context."}}}}, "created": "2026-03-25T20:56:59.379162+00:00", "title": "Stored XSS via Unsanitized WebSocket Updates in Seafile Seadoc Editor", "updated": "2026-03-25T20:56:59.379198+00:00", "vendors": [], "weaknesses": ["CWE-79"]}