Source: shaarli Version: 0.16.1+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for shaarli. CVE-2026-48823[0]: | Shaarli is a personal bookmarking service. Versions 0.16.1 and prior | contain a stored Cross-Site Scripting (XSS) vulnerability in the tag | filtering functionality of Shaarli. An authenticated user can inject | arbitrary JavaScript into the tags field when creating a bookmark | (Shaare). The malicious payload is stored and later executed when | users interact with the "Filter by tag" search feature on the | homepage. User-supplied input in the tags field is not properly | sanitized or output-escaped before being rendered in the tag | filtering interface. When a bookmark is created with a malicious | payload inside the tag field, the payload is stored in the database. | Later, when a user searches using the "Filter by tag" functionality | on the homepage, the application renders matching tags dynamically. | If the tag value contains HTML with JavaScript event handlers, it is | injected into the DOM. This impacts anyone interacting with the | "Filter by tag" search functionality, administrators and privileged | users. This issue has been fixed in version 0.16.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-48823 https://www.cve.org/CVERecord?id=CVE-2026-48823 [1] https://github.com/shaarli/Shaarli/security/advisories/GHSA-68qr-fvv8-6mc6 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
