CVE-2026-30587

Name of the Vulnerable Software and Affected Versions Seafile versions prior to 13.0.17 Seafile versions prior to 13.0.17-pro Seafile versions prior to 12.0.20-pro Seafile versions 13.0.15 through 13.0.16-pro Seafile versions 12.0.14 and earlier

Description The application does not properly sanitize WebSocket messages related to document structure updates within the Seadoc (sdoc) editor. This allows authenticated remote attackers to inject malicious JavaScript payloads through the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags.

Recommendations Update to Seafile version 13.0.17. Update to Seafile version 13.0.17-pro. Update to Seafile version 12.0.20-pro.