CVE-2026-30587
Published: 25 March 2026
Summary
CVE-2026-30587 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Seafile Seafile Server. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-30587 describes multiple stored cross-site scripting (XSS) vulnerabilities (CWE-79) in Seafile Server versions 13.0.15, 13.0.16-pro, 12.0.14, and prior releases. The issues affect the Seadoc (sdoc) editor component, where the application fails to properly sanitize WebSocket messages related to document structure updates. This enables injection of malicious JavaScript payloads through the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) and was published on 2026-03-25.
Authenticated remote attackers with low privileges can exploit these vulnerabilities by crafting and sharing malicious documents in the Seadoc editor. Exploitation requires user interaction, such as a victim opening or interacting with the affected document, after which the injected payloads execute in the context of the victim's browser. Successful attacks can lead to high confidentiality and integrity impacts, including session hijacking, data theft, or further compromise within the scoped application due to the changed scope (S:C).
Mitigation involves upgrading to the fixed versions: Seafile Server 13.0.17, 13.0.17-pro, or 12.0.20-pro. Relevant patches are detailed in Seadoc editor commit 8fa988aaede072b2ae073d1b2edcb2fc691423b2, Seahub commit 4c5301747bdb84c64b2f2b3230417df2d1cc8987, and changelogs for Seafile Professional Server 12.0 and 13.0. Additional technical details are available in the referenced GitHub Gist.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15940
Vulnerability details
Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote…
more
attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing Seafile web app enables direct exploitation (T1190) via shared malicious documents (T1534), executing attacker-controlled JavaScript (T1059.007) that supports browser session hijacking (T1185) and web cookie theft (T1606.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of untrusted WebSocket inputs in the Seadoc editor to block injection of malicious JavaScript payloads via src or href attributes.
Mandates filtering and encoding of document content on output to prevent execution of stored XSS payloads when victims interact with malicious documents.
Ensures timely identification, reporting, and patching of the stored XSS flaw as demonstrated by the fixes in Seafile versions 13.0.17, 13.0.17-pro, and 12.0.20-pro.