CVE-2026-30587

CVSS v3.1

8.7

High

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Seafile versions prior to 13.0.17 Seafile versions prior to 13.0.17-pro Seafile versions prior to 12.0.20-pro Seafile versions 13.0.15 through 13.0.16-pro Seafile versions 12.0.14 and earlier

Description The application does not properly sanitize WebSocket messages related to document structure updates within the Seadoc (sdoc) editor. This allows authenticated remote attackers to inject malicious JavaScript payloads through the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags.

Recommendations Update to Seafile version 13.0.17. Update to Seafile version 13.0.17-pro. Update to Seafile version 12.0.20-pro.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-30587

GHSA-RQJ3-X344-QVXC

Affected Products

Excalidraw

Seadoc

Seafile

CVE-2026-30587

Weakness Enumeration

Related Identifiers

Affected Products

References · 9