Your message dated Thu, 19 Feb 2026 19:57:52 +0000
with message-id <[email protected]>
and subject line Bug#1126554: fixed in shaarli 0.12.1+dfsg-8+deb12u2
has caused the Debian Bug report #1126554,
regarding shaarli: CVE-2026-24476
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126554: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126554
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: shaarli
Version: 0.15.0+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for shaarli.
CVE-2026-24476[0]:
| Shaarli is a personal bookmarking service. Prior to version 0.16.0,
| crafting a malicious tag which starting with `"` prematurely ends
| the `<input>` tag on the start page and allows an attacker to add
| arbitrary html leading to a possible XSS attack. Version 0.16.0
| fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24476
https://www.cve.org/CVERecord?id=CVE-2026-24476
[1] https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg
[2]
https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: shaarli
Source-Version: 0.12.1+dfsg-8+deb12u2
Done: James Valleroy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
shaarli, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Valleroy <[email protected]> (supplier of updated shaarli package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 06 Feb 2026 10:19:00 -0500
Source: shaarli
Architecture: source
Version: 0.12.1+dfsg-8+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: James Valleroy <[email protected]>
Closes: 1126554
Changes:
shaarli (0.12.1+dfsg-8+deb12u2) bookworm-security; urgency=medium
.
* Add patch to fix stored XSS via tag suggestions
(Closes: #1126554, CVE-2026-24476)
Checksums-Sha1:
e2210ce9ff4ab8123426ec5e2b35981bc1b34215 2610 shaarli_0.12.1+dfsg-8+deb12u2.dsc
2e5ef84c6fd2ba10e1cddf678db8b1ae9f20d467 1336723
shaarli_0.12.1+dfsg.orig.tar.gz
2e0ca0b2353c1dce63da8368700760df91954425 26964
shaarli_0.12.1+dfsg-8+deb12u2.debian.tar.xz
244eafd09d3857b7d418bab9cde73e4bbc7141cc 23848
shaarli_0.12.1+dfsg-8+deb12u2_amd64.buildinfo
Checksums-Sha256:
ae4831c43be3719f41a2b8e8d89f61fdd76378f0da3ae21cc86f184f2c61c252 2610
shaarli_0.12.1+dfsg-8+deb12u2.dsc
75b077614e52f276001481c17e62d8bc0b76d75b9e285fc72d5f1d56f08ffd6b 1336723
shaarli_0.12.1+dfsg.orig.tar.gz
14a6f08d9767ba1c2ee45a093ec47036eb8492ec9ef43fa8e42d72d8549c8a28 26964
shaarli_0.12.1+dfsg-8+deb12u2.debian.tar.xz
2ec09d142cc5c6b2e88a383a9765f4c90cfa3345568ec418317f1ab7d22c90e3 23848
shaarli_0.12.1+dfsg-8+deb12u2_amd64.buildinfo
Files:
51d9959d598cc589b708298d6d8c2da8 2610 web optional
shaarli_0.12.1+dfsg-8+deb12u2.dsc
375c701d861e72a9478d79e9ed83c193 1336723 web optional
shaarli_0.12.1+dfsg.orig.tar.gz
5d610257f551a67d8b9f24a0db50cc7e 26964 web optional
shaarli_0.12.1+dfsg-8+deb12u2.debian.tar.xz
0d33cb6ebdd85956995077aeef3aee5d 23848 web optional
shaarli_0.12.1+dfsg-8+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEEfWrbdQ+RCFWJSEvmd8DHXntlCAgFAmmInm0WHGp2YWxsZXJv
eUBtYWlsYm94Lm9yZwAKCRB3wMdee2UICIODEACcN52KEzyVawIxQHvJrO4rNf2n
DfivM6q0MjOPYs1fG89igWvGliz9SmZxJl19R0sxP7Nv3RAHeXHzk1l63lxEAjSg
LW4APTc+rFiUyegjTGjT3vn1eGfgTHSo/W7UCI5Xo1caRMNki6Be5sVP3Awlw2R3
dUUJCAnL6/dCMVbOcgS7RlGeIlj6EL3z0tXvDl/44wJB+6cm9q3to15V94eLfEZR
u+9MAI/I08v5qGlEXu+5SNsS4sWPMu6asfWqQ9r5mMATCsIYA4gird6EPQ3JYV68
iVGAymWs/IRHCvSmdVZd6TK+N1TOYSsQ4J1fb2HEAXMKnpwn0WWFXs5KVmfsX0YU
+D7NEbMilWbTeu1Di37TtuIWBMawnNbbIXCR/UaTUjcIrDKr1Du3hfpVDbDjYiCS
ObxqlcmDxDBeeNA39z1esmJiOOZazkGFViamuFb+DM+BKwHi+RN9wLnAl0ymAXek
GrTk258l0yI8ligE9bXUPdlG2ECLfXCshybH3V1NaKyyULgnRVBxm7K3ppd9Qr4B
ttBfZOKLPumZqDkeoP96pyasNC2ffwB7R30OYIUhUjo0QYo9VEQheoXMAtdBquBt
SK+AGjUQZXb0vRxftJdbCDIASPimxgQjdnOb5df/gsLqtYhkpf+ZzmoxXhhApRqE
SvfoLfFqKDLoMsFI7w==
=JEKM
-----END PGP SIGNATURE-----
pgpdeetXyvncw.pgp
Description: PGP signature
--- End Message ---
