CVE-2026-30587 identifies multiple stored Cross-Site Scripting (XSS) vulnerabilities in Seafile Server, specifically versions 13.0.15, 13.0.16-pro, 12.0.14, and prior. The root cause lies in the Seadoc (sdoc) editor's failure to properly sanitize WebSocket messages that update document structures. These messages can contain malicious JavaScript payloads embedded via the src attribute of Excalidraw whiteboards or the href attribute of anchor tags. Because these payloads are stored within the document, any user who accesses the infected document will have the malicious script executed in their browser context. This can lead to session hijacking, unauthorized actions, or data theft within the Seafile environment. Exploitation requires the attacker to be authenticated, which limits exposure but still poses a risk in environments with many users or where user credentials may be compromised. The vulnerability was addressed in Seafile Server versions 13.0.17, 13.0.17-pro, and 12.0.20-pro by implementing proper sanitization of WebSocket messages and input validation. No public exploits have been reported to date, but the stored nature of the XSS makes it a persistent threat once injected.

The primary impact of CVE-2026-30587 is the potential for authenticated attackers to execute arbitrary JavaScript in the browsers of other users accessing compromised documents. This can lead to session hijacking, unauthorized access to sensitive data, manipulation of document contents, and potentially lateral movement within the affected organization’s Seafile environment. Confidentiality is at risk as attackers may steal session tokens or sensitive information displayed in the user interface. Integrity can be compromised through unauthorized document modifications or malicious actions performed on behalf of other users. Availability impact is generally low but could be affected if attackers use the vulnerability to disrupt normal operations or inject disruptive scripts. Organizations using vulnerable Seafile versions, especially those with many users collaborating on documents, face increased risk of internal attacks or exploitation following credential compromise. The requirement for authentication reduces the attack surface but does not eliminate risk, particularly in large or less controlled user environments.

Organizations should immediately upgrade Seafile Server to versions 13.0.17, 13.0.17-pro, or 12.0.20-pro or later, where the vulnerability is fixed. Until upgrades are applied, administrators should restrict access to the Seadoc editor to trusted users only and monitor document changes for suspicious embedded content, especially Excalidraw whiteboards and anchor tags with unusual src or href attributes. Implement strict access controls and enforce strong authentication mechanisms to reduce the risk of attacker access. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block malicious WebSocket payloads targeting document structure updates. Educate users about the risks of executing unexpected scripts and encourage reporting of unusual document behavior. Regularly audit and sanitize existing documents to remove potentially malicious embedded content. Finally, maintain vigilant monitoring of logs and user activity to detect early signs of exploitation attempts.