Main Vulnerability Database Vulnerabilities #VU132254

Cross-site scripting in Shaarli - #VU132254

Published: May 25, 2026

Vulnerability identifier: #VU132254

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Shaarli

Affected software:
Shaarli

Detailed vulnerability description

The vulnerability allows a local privileged user to execute arbitrary JavaScript in the administrator's browser.

The vulnerability exists due to cross-site scripting in the Thumbnail Synchronizer feature when rendering bookmark titles returned by the thumbnail update process. A local privileged user can create a bookmark with a crafted title to execute arbitrary JavaScript in the administrator's browser.

User interaction is required to run the thumbnail synchronization feature, and the issue is triggered when the progress interface renders the returned title using innerHTML.

Remediation

Install security update from vendor's website.

Sources

https://github.com/shaarli/Shaarli/security/advisories/GHSA-mw63-f9qj-c5h3

Cross-site scripting in Shaarli - #VU132254

Detailed vulnerability description

Remediation

Sources

Please verify you're human