Your message dated Thu, 19 Feb 2026 23:04:59 +0000
with message-id <[email protected]>
and subject line Bug#1126554: fixed in shaarli 0.14.0+dfsg-2+deb13u1
has caused the Debian Bug report #1126554,
regarding shaarli: CVE-2026-24476
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126554: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126554
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: shaarli
Version: 0.15.0+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for shaarli.
CVE-2026-24476[0]:
| Shaarli is a personal bookmarking service. Prior to version 0.16.0,
| crafting a malicious tag which starting with `"` prematurely ends
| the `<input>` tag on the start page and allows an attacker to add
| arbitrary html leading to a possible XSS attack. Version 0.16.0
| fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24476
https://www.cve.org/CVERecord?id=CVE-2026-24476
[1] https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg
[2]
https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: shaarli
Source-Version: 0.14.0+dfsg-2+deb13u1
Done: James Valleroy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
shaarli, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Valleroy <[email protected]> (supplier of updated shaarli package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Feb 2026 07:59:05 -0500
Source: shaarli
Architecture: source
Version: 0.14.0+dfsg-2+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: James Valleroy <[email protected]>
Closes: 1126554
Changes:
shaarli (0.14.0+dfsg-2+deb13u1) trixie-security; urgency=medium
.
* Add patch to fix stored XSS via tag suggestions (Closes: #1126554,
CVE-2026-24476)
Checksums-Sha1:
d53ab66cde3e2fa892a2cd60c13499cfd7ac1be6 2688 shaarli_0.14.0+dfsg-2+deb13u1.dsc
8457d929c57ad92ab9e3d4e1708eb4c8099f00dd 886436 shaarli_0.14.0+dfsg.orig.tar.xz
7311eba91f24a3448f57478680a998dd909a2f72 32652
shaarli_0.14.0+dfsg-2+deb13u1.debian.tar.xz
dc5cf521ca27e8dc97c5c4934ca537abb2962631 24110
shaarli_0.14.0+dfsg-2+deb13u1_amd64.buildinfo
Checksums-Sha256:
edc6ec2e288baac1359c336d60a70c0b3a0d8757b4f0adabc383ed83da374aac 2688
shaarli_0.14.0+dfsg-2+deb13u1.dsc
d8daf5c14cd2edda3e45b0331f7a9043a158f6d87deb00ff674532327c0aa64f 886436
shaarli_0.14.0+dfsg.orig.tar.xz
f09b51f6a6c7fa901bbc0dd0ef3a1c0416428f03087050b4e1445d7d250196ac 32652
shaarli_0.14.0+dfsg-2+deb13u1.debian.tar.xz
080894ffc445fd13ff8c8d9201ec5f6d514b5073dd4cd3f7307e3ed9dd728c43 24110
shaarli_0.14.0+dfsg-2+deb13u1_amd64.buildinfo
Files:
79bb0e4c6217df871ac3b3a7b91b35c6 2688 web optional
shaarli_0.14.0+dfsg-2+deb13u1.dsc
a68dc011ad48734e60b303ec921ed9bc 886436 web optional
shaarli_0.14.0+dfsg.orig.tar.xz
5f25d905b4e15ee7751d60be7dc15865 32652 web optional
shaarli_0.14.0+dfsg-2+deb13u1.debian.tar.xz
547fbcf92aeabaa6300a8ebe94ac81e5 24110 web optional
shaarli_0.14.0+dfsg-2+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEEfWrbdQ+RCFWJSEvmd8DHXntlCAgFAmmD6JQWHGp2YWxsZXJv
eUBtYWlsYm94Lm9yZwAKCRB3wMdee2UICOrOD/9Rbrz8sFJ+4O4S+hia/M94RvBU
FIYMHEs9bbBrSWETKEEtDBUbhwTB9UwC1WvLMrKXHmR0rEKFQ/mXzI87bkVMfpjL
NlIdVZNMUP/nQRbjMwLJnh03yI0SDrOO6DvV//oHMaBNh8/HxEZVfUIBTqax1Sto
m+Xp4uweX6qjcpjaf6BtiI8eDcRnwaj3JQ+MYJHTnJeXhIEpRMPq4rOAyndq4gbh
+XYFwwVwtMXvnlFvz/L62SJVP8Ys2pCOFq8tvwfAHKEnTWLS30qAvYVNYvHkuxzQ
r03m5wu2kaONi6sxwEBPoJKzPC13ppNj/hWVqzo4zo2FjLuuayM/d5NBxb5YgD7t
TazsDf+rXET0ELWZ3cPWcIpKoCq2G/7AbF6JDSutWF77DZcBEvEjsJXkkxbg7Tpx
fCZtQYe0fOGu1CJRsTdvdh5EGwPhxUDKZB0aCOVyuLX8P39ZFmITlYAirbC6Ibvj
usK+Ed/9ClnVwJMRDlrM9lRYcIZ1fxYghyw/pjY/vn8iZfTiHmiViKgnaiNdmYaS
kmQjc+Z2NgRyYyTulQ+STAarMuW/LkkkgjZOsbD//f6whPgNGcVWhx7AMlKbww7q
KPFgaH/DhXgqiHvOKRzK0G3+qzwS5Cu5/EdhRj4VeRQE9NqkiV9QNbA+NOWLiP4u
lgbcYFS3vkPF/8OGEw==
=ZoWo
-----END PGP SIGNATURE-----
pgp5_T1vx48D9.pgp
Description: PGP signature
--- End Message ---
