Main Vulnerability Database Vulnerabilities #VU132255

Cross-site scripting in Shaarli - #VU132255

Published: May 25, 2026

Vulnerability identifier: #VU132255

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Shaarli

Affected software:
Shaarli

Detailed vulnerability description

The vulnerability allows a local privileged user to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the Bookmark Description markdown-to-html conversion process when processing markdown reference-style links. A local privileged user can inject a malicious javascript: URI in a crafted bookmark description to execute arbitrary script in the victim's browser.

User interaction is required to click the rendered link on the homepage.

Remediation

Install security update from vendor's website.

Sources

https://github.com/shaarli/Shaarli/security/advisories/GHSA-2hgr-63wv-x462

Cross-site scripting in Shaarli - #VU132255

Detailed vulnerability description

Remediation

Sources

Please verify you're human