Source: shaarli Version: 0.16.1+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for shaarli. CVE-2026-48822[0]: | Shaarli is a personal bookmarking service. Versions 0.16.1 and prior | contain a stored Cross-Site Scripting (XSS) vulnerability in the | Markdown-to-HTML conversion process used in the Bookmark Description | field. An authenticated user can inject a malicious javascript: URI | inside a Markdown link. The vulnerability originates in the | filterProtocols method within BookmarkMarkdownFormatter.php.This | method attempts to sanitize Markdown links by filtering dangerous | protocols (such as javascript:) before rendering. It uses the | following regular expression: (#]\((.*?)\)#is). This regex is | designed to detect inline Markdown links, but it fails to detect | Markdown reference-style links because reference-style links are | resolved by the Markdown parser after preprocessing. The | filterProtocols method never inspects the actual URL used in these | references and as a result, an attacker can supply a javascript: URI | inside a reference definition. This issue has been fixed in version | 0.16.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-48822 https://www.cve.org/CVERecord?id=CVE-2026-48822 [1] https://github.com/shaarli/Shaarli/security/advisories/GHSA-2hgr-63wv-x462 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
