Seafile Server
by Seafile
CVEs (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-5443 | Hig | 0.51 | 7.8 | 0.00 | Mar 19, 2018 | Seafile Server before 3.1.2 and Server Professional Edition before 3.1.0 allow local users to gain privileges via vectors related to ccnet handling user accounts. | ||
| CVE-2026-30587 | Hig | 0.50 | 8.7 | 0.00 | Mar 25, 2026 | Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure… | ||
| CVE-2025-45091 | Med | 0.35 | 5.4 | 0.00 | Sep 15, 2025 | Seafile versions 11.0.18-Pro, 12.0.10, and 12.0.10-Pro are vulnerable to a stored Cross-Site Scripting (XSS) attack. An authenticated attacker can exploit this vulnerability by modifying their username to include a malicious XSS payload in notification and activities. | ||
| CVE-2025-41080 | 0.00 | — | 0.00 | Dec 4, 2025 | A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with POST parámetro 'p' in '/api/v2.1/repos/{repo_id}/file/'. | |||
| CVE-2025-41079 | 0.00 | — | 0.00 | Dec 4, 2025 | A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with PUT parámetro 'name' in '/api/v2.1/user/'. | |||
| CVE-2023-28873 | 0.00 | — | 0.00 | Dec 9, 2023 | An XSS issue in wiki and discussion pages in Seafile 9.0.6 allows attackers to inject JavaScript into the Markdown editor. | |||
| CVE-2023-28874 | 0.00 | — | 0.00 | Dec 9, 2023 | The next parameter in the /accounts/login endpoint of Seafile 9.0.6 allows attackers to redirect users to arbitrary sites. | |||
| CVE-2021-30146 | 0.00 | — | 0.01 | Apr 6, 2021 | Seafile 7.0.5 (2019) allows Persistent XSS via the "share of library functionality." | |||
| CVE-2020-16143 | 0.00 | — | 0.00 | Jul 29, 2020 | The seafile-client client 7.0.8 for Seafile is vulnerable to DLL hijacking because it loads exchndl.dll from the current working directory. | |||
| CVE-2013-7469 | 0.00 | — | 0.01 | Feb 21, 2019 | Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks. |
- risk 0.51cvss 7.8epss 0.00
Seafile Server before 3.1.2 and Server Professional Edition before 3.1.0 allow local users to gain privileges via vectors related to ccnet handling user accounts.
- risk 0.50cvss 8.7epss 0.00
Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure…
- risk 0.35cvss 5.4epss 0.00
Seafile versions 11.0.18-Pro, 12.0.10, and 12.0.10-Pro are vulnerable to a stored Cross-Site Scripting (XSS) attack. An authenticated attacker can exploit this vulnerability by modifying their username to include a malicious XSS payload in notification and activities.
- CVE-2025-41080Dec 4, 2025risk 0.00cvss —epss 0.00
A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with POST parámetro 'p' in '/api/v2.1/repos/{repo_id}/file/'.
- CVE-2025-41079Dec 4, 2025risk 0.00cvss —epss 0.00
A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with PUT parámetro 'name' in '/api/v2.1/user/'.
- CVE-2023-28873Dec 9, 2023risk 0.00cvss —epss 0.00
An XSS issue in wiki and discussion pages in Seafile 9.0.6 allows attackers to inject JavaScript into the Markdown editor.
- CVE-2023-28874Dec 9, 2023risk 0.00cvss —epss 0.00
The next parameter in the /accounts/login endpoint of Seafile 9.0.6 allows attackers to redirect users to arbitrary sites.
- CVE-2021-30146Apr 6, 2021risk 0.00cvss —epss 0.01
Seafile 7.0.5 (2019) allows Persistent XSS via the "share of library functionality."
- CVE-2020-16143Jul 29, 2020risk 0.00cvss —epss 0.00
The seafile-client client 7.0.8 for Seafile is vulnerable to DLL hijacking because it loads exchndl.dll from the current working directory.
- CVE-2013-7469Feb 21, 2019risk 0.00cvss —epss 0.01
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.