Description
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a DOM-based Cross-Site Scripting (XSS) vulnerability in the Thumbnail Synchronizer feature. When an administrator runs the thumbnail update process, malicious bookmark titles are returned via an AJAX response and inserted into the DOM using innerHTML without proper sanitization. The issue originates from the interaction between the backend thumbnail update endpoint and the frontend JavaScript responsible for rendering update progress. On the backend, the ThumbnailsController::ajaxUpdate method returns bookmark data formatted using the 'raw' formatter. This includes the unescaped bookmark title in the JSON response. On the client side, the script thumbnails-update.js processes this AJAX response and dynamically updates the progress interface. Administrators using the thumbnail synchronization feature are affected and exploitation could lead to session hijacking, privilege escalation, backdoor injection and full compromise. This issue has been fixed in version 0.16.2.
Published: 2026-06-17
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A DOM‑based XSS flaw exists in Shaarli’s Thumbnail Synchronizer. When an administrator triggers the thumbnail update, the backend returns bookmark titles unescaped in a JSON payload that the client script injects into the page via innerHTML. Because the data is not sanitized, an attacker controlling a bookmark title can inject arbitrary script. Successful exploitation could allow an attacker to hijack the administrator’s session, elevate privileges, insert a backdoor, or fully compromise the web site. The weakness falls under CWE‑79.

Affected Systems

The vulnerability affects the Shaarli bookmarking service, specifically version 0.16.1 and all earlier releases. Administrators who use the thumbnail synchronization feature in these releases are potentially exposed. The issue was resolved in Shaarli 0.16.2, which implements proper escaping of the bookmark title before it is rendered in the browser.

Risk and Exploitability

The CVSS score is 5.8, indicating moderate severity. The EPSS score is less than 1 %, showing a very low likelihood of active exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires administrative access to the site to trigger the thumbnail synchronization, or the ability to supply a malicious bookmark title. Because the vector is limited to administrators, the overall risk to typical users is lower, but the impact for those with admin privileges remains significant.

Generated by OpenCVE AI on June 18, 2026 at 19:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Shaarli 0.16.2 or later, which properly sanitizes bookmark titles before inserting them into the DOM.
  • If upgrading immediately is not possible, disable the thumbnail synchronization feature until a patch is applied.
  • Verify that bookmark titles stored in the database are free of malicious script content before re‑enabling the feature.

Generated by OpenCVE AI on June 18, 2026 at 19:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a DOM-based Cross-Site Scripting (XSS) vulnerability in the Thumbnail Synchronizer feature. When an administrator runs the thumbnail update process, malicious bookmark titles are returned via an AJAX response and inserted into the DOM using innerHTML without proper sanitization. The issue originates from the interaction between the backend thumbnail update endpoint and the frontend JavaScript responsible for rendering update progress. On the backend, the ThumbnailsController::ajaxUpdate method returns bookmark data formatted using the 'raw' formatter. This includes the unescaped bookmark title in the JSON response. On the client side, the script thumbnails-update.js processes this AJAX response and dynamically updates the progress interface. Administrators using the thumbnail synchronization feature are affected and exploitation could lead to session hijacking, privilege escalation, backdoor injection and full compromise. This issue has been fixed in version 0.16.2.
Title Shaarli: DOM-based Cross-Site Scripting (XSS) in Thumbnail Synchronizer
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T12:57:01.649Z

Reserved: 2026-05-22T20:57:10.977Z

Link: CVE-2026-48821

cve-icon Vulnrichment

Updated: 2026-06-18T12:56:51.860Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:30:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')