Main Vulnerability Database Vulnerabilities #VU132256

Cross-site scripting in Shaarli - #VU132256

Published: May 25, 2026

Vulnerability identifier: #VU132256

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Shaarli

Affected software:
Shaarli

Detailed vulnerability description

The vulnerability allows a local privileged user to execute arbitrary JavaScript in the context of another user's browser.

The vulnerability exists due to cross-site scripting in the tag filtering functionality when rendering stored tag values in the "Filter by tag" search interface. A local privileged user can inject arbitrary JavaScript into the tags field of a bookmark to execute arbitrary JavaScript in the context of another user's browser.

User interaction is required when a victim uses the "Filter by tag" search feature on the homepage.

Remediation

Install security update from vendor's website.

Sources

https://github.com/shaarli/Shaarli/security/advisories/GHSA-68qr-fvv8-6mc6

Cross-site scripting in Shaarli - #VU132256

Detailed vulnerability description

Remediation

Sources

Please verify you're human