Description
Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue.
Published: 2026-01-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting via Suggested Tags
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary HTML through a tag that begins with a double quote. This prematurely closes the input element on the start page, enabling the injection of malicious code and resulting in a stored cross-site scripting flaw. The weakness a classic input validation failure identified as CWE‑79. Attackers who can create or edit tags can embed scripts that execute in the browsers of anyone who views the affected page, potentially compromising account credentials or performing session hijacking, thereby affecting confidentiality and integrity of the system. The impact scope covers all users who access the blogging or bookmarking interface, potentially rendering the service unusable for legitimate visitors.

Affected Systems

Shaarli personal bookmarking service versions older than 0.16.0. All installations prior to this release, regardless of deployment environment, are susceptible as they lack the input sanitization fix introduced in 0.16.0.

Risk and Exploitability

The CVSS v3 score of 5.3 indicates moderate severity, while the EPSS value of less than 1% suggests low current exploit probability. The vulnerability is not listed in the CISA KEV catalog, implying it is not actively exploited in the wild. The likely attack vector involves an attacker creating a malicious tag via the suggested tags feature; this requires write access to tag data. Once injected, the payload is stored and delivered to subsequent users who view the page, making it a classic stored XSS scenario.

Generated by OpenCVE AI on April 18, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Shaarli 0.16.0 or later, which removes the double‑quote parsing bug and sanitizes tag input.
  • If upgrading cannot be performed immediately, disable the suggested tags feature or restrict tag creation to administrators only to stop new malicious tags from being added.
  • Apply input sanitization manually by escaping quotation marks in existing tags or by performing a database cleanup to replace problematic tag values before the application starts up.

Generated by OpenCVE AI on April 18, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6128-1 shaarli security update
History

Tue, 17 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:shaarli_project:shaarli:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 27 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Shaarli Project
Shaarli Project shaarli
Vendors & Products Shaarli Project
Shaarli Project shaarli

Mon, 26 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
Description Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue.
Title Shaarli vulnerable to stored XSS via Suggested Tags
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Shaarli Project Shaarli
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T15:20:27.830Z

Reserved: 2026-01-23T00:38:20.547Z

Link: CVE-2026-24476

cve-icon Vulnrichment

Updated: 2026-01-27T15:20:15.443Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T23:16:09.283

Modified: 2026-02-17T20:45:33.310

Link: CVE-2026-24476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses