Description
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the Markdown-to-HTML conversion process used in the Bookmark Description field. An authenticated user can inject a malicious javascript: URI inside a Markdown link. The vulnerability originates in the filterProtocols method within BookmarkMarkdownFormatter.php.This method attempts to sanitize Markdown links by filtering dangerous protocols (such as javascript:) before rendering. It uses the following regular expression: (#]\((.*?)\)#is). This regex is designed to detect inline Markdown links, but it fails to detect Markdown reference-style links because reference-style links are resolved by the Markdown parser after preprocessing. The filterProtocols method never inspects the actual URL used in these references and as a result, an attacker can supply a javascript: URI inside a reference definition. This issue has been fixed in version 0.16.2.
Published: 2026-06-17
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Shaarli’s Markdown-to-HTML conversion process contains a stored Cross‑Site Scripting flaw that arises when the filterProtocols method fails to sanitize reference‑style Markdown links. An authenticated user can inject a malicious "javascript:" URI into a bookmark’s description field; the Markdown parser later resolves this reference and delivers the payload to any user who views the bookmark. When executed in the victim’s browser, the attacker could potentially steal session data, perform account hijacking, or inject arbitrary UI changes. These impacts are inferred from typical XSS vectors and are not explicitly stated in the vendor description.

Affected Systems

The vulnerability affects the Shaarli bookmarking application, specifically any installation using version 0.16.1 or earlier. Versions certified as 0.16.2 and later contain the necessary fix, so upgrading is a direct remediation path.

Risk and Exploitability

The CVSS score of 5.8 indicates a moderate severity. The EPSS score is less than 1 %, suggesting that, as of now, the probability of exploitation is low and no known public exploits are linked to this CVE. The vulnerability is not listed in the CISA KEV catalog. Exploitation is confined to authenticated users who can create or edit bookmarks; once a malicious bookmark is published, all users who view it are at risk. Given the limited attack surface and low exploitation likelihood, the overall risk is moderate, but the impact remains significant if compromised.

Generated by OpenCVE AI on June 18, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Shaarli version 0.16.2 or later to apply the vendor patch that sanitizes Markdown reference links.
  • Implement server‑side input validation to reject "javascript:" URIs in Markdown link definitions before storing bookmark descriptions.
  • Enforce that only users with appropriate permissions can create or edit bookmarks, and consider applying a Content Security Policy that restricts inline scripts to reduce damage from any residual XSS.

Generated by OpenCVE AI on June 18, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the Markdown-to-HTML conversion process used in the Bookmark Description field. An authenticated user can inject a malicious javascript: URI inside a Markdown link. The vulnerability originates in the filterProtocols method within BookmarkMarkdownFormatter.php.This method attempts to sanitize Markdown links by filtering dangerous protocols (such as javascript:) before rendering. It uses the following regular expression: (#]\((.*?)\)#is). This regex is designed to detect inline Markdown links, but it fails to detect Markdown reference-style links because reference-style links are resolved by the Markdown parser after preprocessing. The filterProtocols method never inspects the actual URL used in these references and as a result, an attacker can supply a javascript: URI inside a reference definition. This issue has been fixed in version 0.16.2.
Title Shaarli has Stored Cross-Site Scripting (XSS) via Markdown Reference Links
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T15:42:42.133Z

Reserved: 2026-05-22T20:57:10.977Z

Link: CVE-2026-48822

cve-icon Vulnrichment

Updated: 2026-06-18T15:42:19.798Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')