CVE-2026-30587HIGH 8.7EPSS p19.3%

CVE-2026-30587CVE-2026-30587

Description

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags

Scoring

CVSS 3.18.7 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS0.28% probability of exploitation · percentile 19.3% · 2026-06-19T12:03:05Z
Published2026-03-25
Last modified2026-05-10

Underlying weaknesses· 1

CWE-79

References

  1. https://gist.github.com/gabdevele/1b7e30ab367b26042fa32f45aa12ce2f
  2. https://github.com/haiwen/seadoc-editor/commit/8fa988aaede072b2ae073d1b2edcb2fc691423b2
  3. https://github.com/haiwen/seahub/commit/4c5301747bdb84c64b2f2b3230417df2d1cc8987
  4. https://manual.seafile.com/12.0/changelog/changelog-for-seafile-professional-server/
  5. https://manual.seafile.com/13.0/changelog/changelog-for-seafile-professional-server/
  6. https://manual.seafile.com/13.0/changelog/server-changelog/

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-30586
CVE
CVE-2024-8608
CVE
CVE-2025-2488
CVE
CVE-2026-11569
CVE
CVE-2026-21628
CVE
CVE-2026-50733
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.