Search criteria
3 vulnerabilities by shaarli
CVE-2026-24476 (GCVE-0-2026-24476)
Vulnerability from cvelistv5 – Published: 2026-01-26 22:26 – Updated: 2026-01-27 15:20
VLAI?
Title
Shaarli vulnerable to stored XSS via Suggested Tags
Summary
Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24476",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T15:19:45.323810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T15:20:27.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Shaarli",
"vendor": "shaarli",
"versions": [
{
"status": "affected",
"version": "\u003c 0.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `\"` prematurely ends the `\u003cinput\u003e` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T22:26:59.886Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg"
},
{
"name": "https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063"
}
],
"source": {
"advisory": "GHSA-g3xq-mj52-f8pg",
"discovery": "UNKNOWN"
},
"title": "Shaarli vulnerable to stored XSS via Suggested Tags"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24476",
"datePublished": "2026-01-26T22:26:59.886Z",
"dateReserved": "2026-01-23T00:38:20.547Z",
"dateUpdated": "2026-01-27T15:20:27.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55291 (GCVE-0-2025-55291)
Vulnerability from cvelistv5 – Published: 2025-08-18 17:06 – Updated: 2025-08-18 19:56
VLAI?
Title
Shaarli allows reflected XSS via searchtags parameter
Summary
Shaarli is a minimalist bookmark manager and link sharing service. Prior to 0.15.0, the input string in the cloud tag page is not properly sanitized. This allows the </title> tag to be prematurely closed, leading to a reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability is fixed in 0.15.0.
Severity ?
7.1 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55291",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T19:56:12.894520Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T19:56:41.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Shaarli",
"vendor": "shaarli",
"versions": [
{
"status": "affected",
"version": "\u003c 0.15.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Shaarli is a minimalist bookmark manager and link sharing service. Prior to 0.15.0, the input string in the cloud tag page is not properly sanitized. This allows the \u003c/title\u003e tag to be prematurely closed, leading to a reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability is fixed in 0.15.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-87",
"description": "CWE-87: Improper Neutralization of Alternate XSS Syntax",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T17:06:35.799Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-7w7w-pw4j-265h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-7w7w-pw4j-265h"
},
{
"name": "https://github.com/shaarli/Shaarli/commit/66faa61335a6e72184be64092ff1242ffa4fe5b6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shaarli/Shaarli/commit/66faa61335a6e72184be64092ff1242ffa4fe5b6"
}
],
"source": {
"advisory": "GHSA-7w7w-pw4j-265h",
"discovery": "UNKNOWN"
},
"title": "Shaarli allows reflected XSS via searchtags parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55291",
"datePublished": "2025-08-18T17:06:35.799Z",
"dateReserved": "2025-08-12T16:15:30.237Z",
"dateUpdated": "2025-08-18T19:56:41.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-7351 (GCVE-0-2013-7351)
Vulnerability from cvelistv5 – Published: 2020-01-02 19:42 – Updated: 2024-08-06 18:01
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Shaarli allow remote attackers to inject arbitrary web script or HTML via the URL to the (1) showRSS, (2) showATOM, or (3) showDailyRSS function; a (4) file name to the importFile function; or (5) vectors related to bookmarks.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:01:20.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sebsauvage/Shaarli/issues/134"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q2/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q2/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92215"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Shaarli",
"vendor": "Shaarli",
"versions": [
{
"status": "affected",
"version": "before 53da201749f8f362323ef278bf338f1d9f7a925a"
}
]
}
],
"datePublic": "2013-10-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in index.php in Shaarli allow remote attackers to inject arbitrary web script or HTML via the URL to the (1) showRSS, (2) showATOM, or (3) showDailyRSS function; a (4) file name to the importFile function; or (5) vectors related to bookmarks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-02T19:42:16",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sebsauvage/Shaarli/issues/134"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2014/q2/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2014/q2/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92215"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2013-7351",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Shaarli",
"version": {
"version_data": [
{
"version_value": "before 53da201749f8f362323ef278bf338f1d9f7a925a"
}
]
}
}
]
},
"vendor_name": "Shaarli"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in index.php in Shaarli allow remote attackers to inject arbitrary web script or HTML via the URL to the (1) showRSS, (2) showATOM, or (3) showDailyRSS function; a (4) file name to the importFile function; or (5) vectors related to bookmarks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a",
"refsource": "CONFIRM",
"url": "https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a"
},
{
"name": "https://github.com/sebsauvage/Shaarli/issues/134",
"refsource": "CONFIRM",
"url": "https://github.com/sebsauvage/Shaarli/issues/134"
},
{
"name": "http://seclists.org/oss-sec/2014/q2/1",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2014/q2/1"
},
{
"name": "http://seclists.org/oss-sec/2014/q2/4",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2014/q2/4"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92215",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92215"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2013-7351",
"datePublished": "2020-01-02T19:42:16",
"dateReserved": "2014-04-01T00:00:00",
"dateUpdated": "2024-08-06T18:01:20.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}