CVE-2026-58371
LowCVSS 3.1Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
A vulnerability in SeaweedFS before version 4.30 reflects the callback query parameter without validation in JSON responses served as application/javascript. Missing X-Content-Type-Options: nosniff header and CORS allow-list allows an attacker to load responses from any JSON endpoint (including unauthenticated ones) via a <script> tag from a third-party web page.
Risk Assessment
The organization is at risk of leaking sensitive information such as cluster topology, volume server addresses, gRPC ports, file identifiers, and directory listings. An attacker from an external website can read this data, potentially leading to further attacks on the infrastructure.
Recommendation
Immediately upgrade SeaweedFS to version 4.30 or later. Additionally, enable a CORS allow-list in the configuration, set the X-Content-Type-Options: nosniff header, and restrict access to endpoints using the -whiteList parameter or security.toml file.
Original NVD description (English source)
SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper (weed/server/common.go), with no callback-name validation, no X-Content-Type-Options: nosniff header, and no CORS allow-list. Every JSON endpoint that uses writeJson - including the unauthenticated master endpoints /dir/status, /dir/lookup and /cluster/status, the volume server /status, and the filer directory listing, all reachable in the default configuration (no -whiteList, no security.toml, bound to 0.0.0.0) - can therefore be loaded cross-origin via a script tag with a chosen callback, letting a third-party web page read cluster topology, volume server URLs and gRPC ports, file identifiers, and directory listings. Because the callback string is reflected at the start of the body and no nosniff header is sent, MIME-sniffing clients may also interpret the reflected content as HTML.

