Volerion logoVolerion
Volerion logoVolerion

Seafile Community Edition Stored Cross-Site Scripting Vulnerability via SVG Upload

Vulnerability

A stored cross-site scripting vulnerability has been identified in Seafile Community Edition versions prior to 13.0.12. When the Golang file server is enabled, an attacker can upload a malicious SVG file containing JavaScript, share it via a public link, and execute the script in the browser of anyone who opens the link.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded malicious SVG files execute JavaScript in the context of the user viewing the shared link.

Reproduction

To reproduce this vulnerability, upload a crafted SVG file containing JavaScript into a Seafile Community Edition instance with the Golang file server enabled. Once uploaded, share the file using a public link. When the link is opened, the JavaScript embedded in the SVG will execute in the browser.

Remediation

Users can upgrade to Seafile Community Edition version 13.0.12 or later, where this vulnerability has been fixed.

Added: Dec 4, 2025, 4:18 PM
Updated: Dec 4, 2025, 5:19 PM

Vulnerability Rating

Custom Algorithm
spread
5.0
impact
1.7
exploitability
5.3
remediation
7.7
relevance
1.3
threat
1.6
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.