Search criteria
5 vulnerabilities by shaarli_project
CVE-2026-24476 (GCVE-0-2026-24476)
Vulnerability from cvelistv5 – Published: 2026-01-26 22:26 – Updated: 2026-01-27 15:20
VLAI
Title
Shaarli vulnerable to stored XSS via Suggested Tags
Summary
Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/shaarli/Shaarli/security/advis… | x_refsource_CONFIRM |
| https://github.com/shaarli/Shaarli/commit/b854c78… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24476",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T15:19:45.323810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T15:20:27.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Shaarli",
"vendor": "shaarli",
"versions": [
{
"status": "affected",
"version": "\u003c 0.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `\"` prematurely ends the `\u003cinput\u003e` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T22:26:59.886Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg"
},
{
"name": "https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063"
}
],
"source": {
"advisory": "GHSA-g3xq-mj52-f8pg",
"discovery": "UNKNOWN"
},
"title": "Shaarli vulnerable to stored XSS via Suggested Tags"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24476",
"datePublished": "2026-01-26T22:26:59.886Z",
"dateReserved": "2026-01-23T00:38:20.547Z",
"dateUpdated": "2026-01-27T15:20:27.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-49469 (GCVE-0-2023-49469)
Vulnerability from cvelistv5 – Published: 2023-12-28 00:00 – Updated: 2024-08-02 21:53
VLAI
Summary
Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, allows remote attackers to execute arbitrary code via search tag function.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:53:45.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/shaarli/Shaarli/issues/2038"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.13.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, allows remote attackers to execute arbitrary code via search tag function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-28T05:56:12.495Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/shaarli/Shaarli/issues/2038"
},
{
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.13.0"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-49469",
"datePublished": "2023-12-28T00:00:00.000Z",
"dateReserved": "2023-11-27T00:00:00.000Z",
"dateUpdated": "2024-08-02T21:53:45.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-7351 (GCVE-0-2013-7351)
Vulnerability from cvelistv5 – Published: 2020-01-02 19:42 – Updated: 2024-08-06 18:01
VLAI
Summary
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Shaarli allow remote attackers to inject arbitrary web script or HTML via the URL to the (1) showRSS, (2) showATOM, or (3) showDailyRSS function; a (4) file name to the importFile function; or (5) vectors related to bookmarks.
Severity
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/sebsauvage/Shaarli/commit/53da… | x_refsource_CONFIRM |
| https://github.com/sebsauvage/Shaarli/issues/134 | x_refsource_CONFIRM |
| http://seclists.org/oss-sec/2014/q2/1 | x_refsource_MISC |
| http://seclists.org/oss-sec/2014/q2/4 | x_refsource_MISC |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | x_refsource_MISC |
Impacted products
Date Public
2013-10-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:01:20.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sebsauvage/Shaarli/issues/134"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q2/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q2/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92215"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Shaarli",
"vendor": "Shaarli",
"versions": [
{
"status": "affected",
"version": "before 53da201749f8f362323ef278bf338f1d9f7a925a"
}
]
}
],
"datePublic": "2013-10-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in index.php in Shaarli allow remote attackers to inject arbitrary web script or HTML via the URL to the (1) showRSS, (2) showATOM, or (3) showDailyRSS function; a (4) file name to the importFile function; or (5) vectors related to bookmarks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-02T19:42:16.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sebsauvage/Shaarli/issues/134"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2014/q2/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2014/q2/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92215"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2013-7351",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Shaarli",
"version": {
"version_data": [
{
"version_value": "before 53da201749f8f362323ef278bf338f1d9f7a925a"
}
]
}
}
]
},
"vendor_name": "Shaarli"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in index.php in Shaarli allow remote attackers to inject arbitrary web script or HTML via the URL to the (1) showRSS, (2) showATOM, or (3) showDailyRSS function; a (4) file name to the importFile function; or (5) vectors related to bookmarks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a",
"refsource": "CONFIRM",
"url": "https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a"
},
{
"name": "https://github.com/sebsauvage/Shaarli/issues/134",
"refsource": "CONFIRM",
"url": "https://github.com/sebsauvage/Shaarli/issues/134"
},
{
"name": "http://seclists.org/oss-sec/2014/q2/1",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2014/q2/1"
},
{
"name": "http://seclists.org/oss-sec/2014/q2/4",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2014/q2/4"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92215",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92215"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2013-7351",
"datePublished": "2020-01-02T19:42:16.000Z",
"dateReserved": "2014-04-01T00:00:00.000Z",
"dateUpdated": "2024-08-06T18:01:20.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-5249 (GCVE-0-2018-5249)
Vulnerability from cvelistv5 – Published: 2018-01-05 20:00 – Updated: 2024-08-05 05:33
VLAI
Summary
Cross-site scripting (XSS) vulnerability in Shaarli before 0.8.5 and 0.9.x before 0.9.3 allows remote attackers to inject arbitrary code via the login form's username field (aka the login parameter to the ban_canLogin function in index.php).
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/shaarli/Shaarli/releases/tag/v0.8.5 | x_refsource_CONFIRM |
| https://github.com/shaarli/Shaarli/pull/1046 | x_refsource_CONFIRM |
| https://github.com/shaarli/Shaarli/releases/tag/v0.9.3 | x_refsource_CONFIRM |
Date Public
2018-01-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:33:44.318Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.8.5"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/shaarli/Shaarli/pull/1046"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.9.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Shaarli before 0.8.5 and 0.9.x before 0.9.3 allows remote attackers to inject arbitrary code via the login form\u0027s username field (aka the login parameter to the ban_canLogin function in index.php)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-05T19:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.8.5"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shaarli/Shaarli/pull/1046"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.9.3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-5249",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Shaarli before 0.8.5 and 0.9.x before 0.9.3 allows remote attackers to inject arbitrary code via the login form\u0027s username field (aka the login parameter to the ban_canLogin function in index.php)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/shaarli/Shaarli/releases/tag/v0.8.5",
"refsource": "CONFIRM",
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.8.5"
},
{
"name": "https://github.com/shaarli/Shaarli/pull/1046",
"refsource": "CONFIRM",
"url": "https://github.com/shaarli/Shaarli/pull/1046"
},
{
"name": "https://github.com/shaarli/Shaarli/releases/tag/v0.9.3",
"refsource": "CONFIRM",
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.9.3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-5249",
"datePublished": "2018-01-05T20:00:00.000Z",
"dateReserved": "2018-01-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T05:33:44.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15215 (GCVE-0-2017-15215)
Vulnerability from cvelistv5 – Published: 2017-10-10 05:00 – Updated: 2024-09-16 20:01
VLAI
Summary
Reflected XSS vulnerability in Shaarli v0.9.1 allows an unauthenticated attacker to inject JavaScript via the searchtags parameter to index.php. If the victim is an administrator, an attacker can (for example) take over the admin session or change global settings or add/delete links. It is also possible to execute JavaScript against unauthenticated users.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/shaarli/Shaarli/pull/987 | x_refsource_MISC |
| http://openwall.com/lists/oss-security/2017/10/07/2 | x_refsource_MISC |
| https://github.com/shaarli/Shaarli/releases/tag/v0.9.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:50:16.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/shaarli/Shaarli/pull/987"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2017/10/07/2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.9.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS vulnerability in Shaarli v0.9.1 allows an unauthenticated attacker to inject JavaScript via the searchtags parameter to index.php. If the victim is an administrator, an attacker can (for example) take over the admin session or change global settings or add/delete links. It is also possible to execute JavaScript against unauthenticated users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-10T05:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shaarli/Shaarli/pull/987"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://openwall.com/lists/oss-security/2017/10/07/2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.9.2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15215",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Reflected XSS vulnerability in Shaarli v0.9.1 allows an unauthenticated attacker to inject JavaScript via the searchtags parameter to index.php. If the victim is an administrator, an attacker can (for example) take over the admin session or change global settings or add/delete links. It is also possible to execute JavaScript against unauthenticated users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/shaarli/Shaarli/pull/987",
"refsource": "MISC",
"url": "https://github.com/shaarli/Shaarli/pull/987"
},
{
"name": "http://openwall.com/lists/oss-security/2017/10/07/2",
"refsource": "MISC",
"url": "http://openwall.com/lists/oss-security/2017/10/07/2"
},
{
"name": "https://github.com/shaarli/Shaarli/releases/tag/v0.9.2",
"refsource": "MISC",
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.9.2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15215",
"datePublished": "2017-10-10T05:00:00.000Z",
"dateReserved": "2017-10-10T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:01:14.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}