Main Vulnerability Database Vulnerabilities #VU128352

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Shaarli - #VU128352

Published: April 28, 2026

Vulnerability identifier: #VU128352

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Shaarli

Affected software:
Shaarli

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of script-related HTML tags in uploaded or embedded filenames in the filename rendering logic when rendering uploaded or embedded filenames in the DOM. A remote user can upload a file with a specially crafted filename to execute arbitrary script in the victim's browser.

The attack vector is limited by rendering context and browser behavior.

Remediation

Install security update from vendor's website.

Sources

https://github.com/shaarli/Shaarli/security/advisories/GHSA-vwcv-9hj3-8982

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Shaarli - #VU128352

Detailed vulnerability description

Remediation

Sources

Please verify you're human