CVE-2025-41079
MEDIUMSeafile < 12.0.14 - Stored Cross-Site Scripting via PUT 'name' Parameter in User API
Title source: llmDescription
A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with PUT parámetro 'name' in '/api/v2.1/user/'.
References (1)
Core 1
Core References
Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-seafile
Scores
CVSS v3
6.1
EPSS
0.0016
EPSS Percentile
5.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
seafile/seafile
< 12.0.14
Published
Dec 04, 2025
Tracked Since
Feb 18, 2026