CVE-2025-41080

Name of the Vulnerable Software and Affected Versions Seafile version 12.0.10

Description A stored Cross-Site Scripting (XSS) issue exists in Seafile. This allows an attacker to execute arbitrary code in a victim’s browser. The issue is caused by storing malicious payloads with the POST parameter p in the ''/api/v2.1/repos/{repo id}/file/'' API endpoint. The repo id is a variable within the API endpoint.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize the p parameter in the ''/api/v2.1/repos/{repo id}/file/'' API endpoint to prevent the injection of malicious scripts.