Description
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the tag filtering functionality of Shaarli. An authenticated user can inject arbitrary JavaScript into the tags field when creating a bookmark (Shaare). The malicious payload is stored and later executed when users interact with the "Filter by tag" search feature on the homepage. User-supplied input in the tags field is not properly sanitized or output-escaped before being rendered in the tag filtering interface. When a bookmark is created with a malicious payload inside the tag field, the payload is stored in the database. Later, when a user searches using the "Filter by tag" functionality on the homepage, the application renders matching tags dynamically. If the tag value contains HTML with JavaScript event handlers, it is injected into the DOM. This impacts anyone interacting with the "Filter by tag" search functionality, administrators and privileged users. This issue has been fixed in version 0.16.2.
Published: 2026-06-17
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an authenticated user to embed arbitrary JavaScript inside bookmark tags. The malicious code is stored in the database and later executed whenever a user triggers the tag filtering feature on the homepage, resulting in client‑side script execution. This is an unsafe handling of user input in a dynamically rendered element (CWE‑79).

Affected Systems

Shaarli versions 0.16.1 and all earlier releases are vulnerable; the issue was fixed in 0.16.2.

Risk and Exploitability

The CVSS score of 4.8 classifies the vulnerability as moderate. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. An authenticated user can create a malicious bookmark, and the payload will be displayed to any other user who uses the filter by that tag. No additional conditions beyond authentication and bookmark creation are required to exploit the weakness.

Generated by OpenCVE AI on June 18, 2026 at 19:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Shaarli v0.16.2 or later, which removes unsanitized tag rendering in the filter interface
  • If an upgrade cannot be performed immediately, modify the tag handling code to escape or strip HTML and JavaScript from user input before storing it in the database, preventing executable content from being persisted
  • Apply a Content Security Policy that blocks inline scripting or event handler attributes, adding an extra layer of protection against any residual XSS payloads

Generated by OpenCVE AI on June 18, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the tag filtering functionality of Shaarli. An authenticated user can inject arbitrary JavaScript into the tags field when creating a bookmark (Shaare). The malicious payload is stored and later executed when users interact with the "Filter by tag" search feature on the homepage. User-supplied input in the tags field is not properly sanitized or output-escaped before being rendered in the tag filtering interface. When a bookmark is created with a malicious payload inside the tag field, the payload is stored in the database. Later, when a user searches using the "Filter by tag" functionality on the homepage, the application renders matching tags dynamically. If the tag value contains HTML with JavaScript event handlers, it is injected into the DOM. This impacts anyone interacting with the "Filter by tag" search functionality, administrators and privileged users. This issue has been fixed in version 0.16.2.
Title Shaarli has Stored Cross-Site Scripting (XSS) via Tags Search
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T12:56:49.567Z

Reserved: 2026-05-22T20:57:10.977Z

Link: CVE-2026-48823

cve-icon Vulnrichment

Updated: 2026-06-18T12:56:21.399Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')