CVE-2026-58371 | SeaweedFS before 4.30 reflects the callback query parameter … | CVSS 3.1 LOW

Description

SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper (weed/server/common.go), with no callback-name validation, no X-Content-Type-Options: nosniff header, and no CORS allow-list. Every JSON endpoint that uses writeJson - including the unauthenticated master endpoints /dir/status, /dir/lookup and /cluster/status, the volume server /status, and the filer directory listing, all reachable in the default configuration (no -whiteList, no security.toml, bound to 0.0.0.0) - can therefore be loaded cross-origin via a script tag with a chosen callback, letting a third-party web page read cluster topology, volume server URLs and gRPC ports, file identifiers, and directory listings. Because the callback string is reflected at the start of the body and no nosniff header is sent, MIME-sniffing clients may also interpret the reflected content as HTML.

Metadata

CVE ID: CVE-2026-58371
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-30 12:28 UTC
Published: 2026-06-30 15:57 UTC
Last updated: 2026-06-30 15:57 UTC
Primary CWE: CWE-79
Improper Neutralization of Input During Web Page Generation …
Vendor / Product: seaweedfs / seaweedfs
Sources: cve.org · NVD

Severity & Metrics

3.1 LOW CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
seaweedfs	seaweedfs	—	0 < 4.30

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (2)

Score	Severity	Version	Source	Vector
3.1	LOW	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
2.3	LOW	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References (5)