SB2026052525 - Multiple vulnerabilities in Shaarli

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026052525

SB2026052525 - Multiple vulnerabilities in Shaarli

Published: May 25, 2026

Security Bulletin ID SB2026052525
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Local access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a local privileged user to execute arbitrary JavaScript in the administrator's browser.

The vulnerability exists due to cross-site scripting in the Thumbnail Synchronizer feature when rendering bookmark titles returned by the thumbnail update process. A local privileged user can create a bookmark with a crafted title to execute arbitrary JavaScript in the administrator's browser.

User interaction is required to run the thumbnail synchronization feature, and the issue is triggered when the progress interface renders the returned title using innerHTML.


2) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a local privileged user to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the Bookmark Description markdown-to-html conversion process when processing markdown reference-style links. A local privileged user can inject a malicious javascript: URI in a crafted bookmark description to execute arbitrary script in the victim's browser.

User interaction is required to click the rendered link on the homepage.


3) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a local privileged user to execute arbitrary JavaScript in the context of another user's browser.

The vulnerability exists due to cross-site scripting in the tag filtering functionality when rendering stored tag values in the "Filter by tag" search interface. A local privileged user can inject arbitrary JavaScript into the tags field of a bookmark to execute arbitrary JavaScript in the context of another user's browser.

User interaction is required when a victim uses the "Filter by tag" search feature on the homepage.


Remediation

Install update from vendor's website.

References