SCA: security update for @seafile/sdoc-editor (GHSA-rqj3-x344-qvxc)

high Tenable Cloud Security Plugin ID 439685

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior
and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to
properly sanitize WebSocket messages regarding document structure updates. This allows authenticated
remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw
whiteboards or the href attribute of anchor tags (CVE-2026-30587)

Solution

Update the @seafile/sdoc-editor library and its related packages to version 2.0.209 or later.

See Also

https://github.com/advisories/GHSA-rqj3-x344-qvxc

Plugin Details

Severity: High

ID: 439685

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 4/2/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

Percentile: 57.62

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N

CVSS Score Source: CVE-2026-30587

CVSS v3

Risk Factor: High

Base Score: 8.7

Temporal Score: 7.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/25/2026

Vulnerability Publication Date: 3/25/2026

Reference Information

CVE: CVE-2026-30587

cwe: CWE-79