Cross-Origin Information Disclosure in SeaweedFS by SeaweedFS
CVE-2026-58371

2.3LOW

Key Information:

Vendor: Seaweedfs
Status: Seaweedfs
Vendor: CVE Published:; 30 June 2026

Badges

👾 Exploit Exists

What is CVE-2026-58371?

SeaweedFS versions before 4.30 contain a vulnerability related to the handling of callback query parameters, which are reflected in responses without validation. This affects several JSON endpoints, including those that are accessible without authentication, potentially exposing sensitive information such as cluster topology and volume server URLs. The absence of a nosniff header allows clients to interpret the content as HTML, leading to further risks. Attackers can exploit this flaw to load the affected endpoints via a third-party web page, compromising the security of the system.

Affected Version(s)

seaweedfs 0 < 4.30

References

https://github.com/seaweedfs/seaweedfs/releases/tag/4.30

release-notes

https://github.com/seaweedfs/seaweedfs/pull/9686

issue-tracking

https://github.com/seaweedfs/seaweedfs/commit/77dcb20a748...

patch

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 30, 2026
👾
Exploit known to exist
Jun 30, 2026
Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 30, 2026

Credit

George Chen

CVE-2026-58371 Data

JSON

Seaweedfs

Badges

What is CVE-2026-58371?

Affected Version(s)

References

CVSS V4

Timeline

Credit