CVE-2026-58371

SeaweedFS before 4.30 is vulnerable to cross-origin information disclosure via an unvalidated JSONP callback parameter. The shared writeJson helper can reflect the callback verbatim into responses served as application/javascript without callback-name validation, missing X-Content-Type-Options: n...