CVE-2026-30587 Overview
Multiple Stored Cross-Site Scripting (XSS) vulnerabilities have been identified in Seafile Server, an open-source file synchronization and sharing solution. The vulnerabilities exist in the Seadoc (sdoc) editor component, where the application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking, credential theft, and unauthorized actions within the Seafile platform.
Affected Products
- Seafile Server version 13.0.15 and prior
- Seafile Server version 13.0.16-pro and prior
- Seafile Server version 12.0.14 and prior
Discovery Timeline
- 2026-03-25 - CVE-2026-30587 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-30587
Vulnerability Analysis
The Stored XSS vulnerabilities in Seafile Server stem from improper input sanitization within the Seadoc editor's WebSocket message handling. When users collaborate on documents in real-time, the application processes WebSocket messages that contain document structure updates. These messages can include embedded content such as Excalidraw whiteboard elements and hyperlinks.
The application fails to adequately sanitize user-controlled input in two specific contexts: the src attribute of embedded Excalidraw whiteboards and the href attribute of anchor tags. Since these vulnerabilities are stored, malicious payloads persist in the document and execute whenever other users view or edit the affected content, making this a particularly dangerous attack vector in collaborative environments.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and output encoding within the Seadoc editor component. The WebSocket message handler does not properly sanitize or escape HTML special characters and JavaScript protocol handlers before incorporating user-supplied content into the document DOM. This allows attackers to craft malicious payloads that bypass any client-side sanitization and persist in the document structure.
The fix addresses this by implementing proper sanitization in both the SeaDoc editor and SeaHub components, as evidenced by the security commits published by the Seafile development team.
Attack Vector
An authenticated attacker can exploit this vulnerability by creating or editing a document within the Seafile Server and embedding malicious JavaScript code. The attack leverages the WebSocket-based real-time collaboration feature:
- The attacker authenticates to the Seafile Server with valid credentials
- The attacker creates or edits a document using the Seadoc editor
- Malicious JavaScript is injected via the src attribute of an Excalidraw whiteboard element or the href attribute of an anchor tag
- The payload is transmitted through WebSocket messages and stored in the document
- When other users open the document, the malicious script executes in their browser context
The vulnerability allows attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. Technical details and proof-of-concept information are available in the GitHub Gist PoC.
Detection Methods for CVE-2026-30587
Indicators of Compromise
- Unusual JavaScript code patterns in document content, particularly javascript: protocol handlers in href or src attributes
- Unexpected WebSocket messages containing script tags or event handlers
- User reports of suspicious browser behavior when viewing specific documents
- Session anomalies where user actions appear to originate from unexpected locations
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in WebSocket traffic
- Monitor server logs for documents containing suspicious HTML patterns or JavaScript protocol handlers
- Deploy Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Audit document content for embedded Excalidraw elements with non-standard src attributes
Monitoring Recommendations
- Enable detailed logging for WebSocket communications within the Seadoc editor
- Configure alerts for documents containing potentially malicious HTML or JavaScript content
- Monitor for unusual user session patterns that may indicate session hijacking
- Review access logs for documents that trigger security policy violations
How to Mitigate CVE-2026-30587
Immediate Actions Required
- Upgrade Seafile Server to version 13.0.17, 13.0.17-pro, or 12.0.20-pro immediately
- Audit existing documents for potentially malicious embedded content
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
- Review recent document editing activity for signs of exploitation
Patch Information
Seafile has released patched versions that address these vulnerabilities. Organizations should upgrade to the following fixed versions:
- Seafile Server 13.0.17 (Community Edition)
- Seafile Server 13.0.17-pro (Professional Edition)
- Seafile Server 12.0.20-pro (Professional Edition for 12.x branch)
The security fixes have been implemented in both the SeaDoc editor and SeaHub components. For detailed information about the patches, refer to the SeaDoc Editor Commit and SeaHub Commit. Release notes are available in the Seafile 13.0 Changelog and Seafile 12.0 Changelog.
Workarounds
- Restrict access to the Seadoc editor feature until patching is complete
- Implement strict Content Security Policy headers to prevent inline script execution
- Disable or restrict the Excalidraw whiteboard embedding feature if not required
- Limit document sharing and collaboration features to trusted users only
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
