Shaarli
CVE-2026-48821
MEDIUM
Severity by source
AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
AV:N reflects the web application delivery; AC:H because attack requires a pre-planted malicious bookmark AND an admin-triggered sync event; PR:H for the required administrative trigger; UI:R as the admin must initiate thumbnail synchronization.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a DOM-based Cross-Site Scripting (XSS) vulnerability in the Thumbnail Synchronizer feature. When an administrator runs the thumbnail update process, malicious bookmark titles are returned via an AJAX response and inserted into the DOM using innerHTML without proper sanitization. The issue originates from the interaction between the backend thumbnail update endpoint and the frontend JavaScript responsible for rendering update progress. On the backend, the ThumbnailsController::ajaxUpdate method returns bookmark data formatted using the 'raw' formatter. This includes the unescaped bookmark title in the JSON response. On the client side, the script thumbnails-update.js processes this AJAX response and dynamically updates the progress interface. Administrators using the thumbnail synchronization feature are affected and exploitation could lead to session hijacking, privilege escalation, backdoor injection and full compromise. This issue has been fixed in version 0.16.2.
AnalysisAI
DOM-based XSS in Shaarli's Thumbnail Synchronizer allows stored malicious bookmark titles to execute arbitrary JavaScript in an administrator's browser session when thumbnail synchronization is triggered. Versions 0.16.1 and prior are affected; the root cause is unsanitized innerHTML injection in thumbnails-update.js after the backend's ThumbnailsController::ajaxUpdate returns raw, unescaped bookmark titles via AJAX. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concrete preconditions: first, a malicious bookmark title containing an XSS payload must be present in the Shaarli bookmark database - this could be introduced by any user account with bookmark creation privileges or via bulk import of external bookmark data. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate but contextually serious for Shaarli deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can create or import a bookmark into a Shaarli instance crafts a title containing a JavaScript payload (e.g., an event-handler-bearing HTML tag). When a Shaarli administrator subsequently navigates to the Thumbnail Synchronizer and initiates the update process, the backend returns the malicious title as raw JSON, and thumbnails-update.js injects it into the page DOM via innerHTML, triggering the payload in the admin's browser session. … |
| Remediation | The primary fix is to upgrade Shaarli to version 0.16.2, released 2026-05-23, which specifically patches thumbnail update DOM insertions alongside other XSS fixes (Awesomplete autocomplete tag encoding and Markdown href protocol sanitization). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, allows remote attackers to execute arbitrary code
Stored XSS in Shaarli versions before 0.16.0 allows authenticated attackers to inject malicious HTML by crafting tags st
Reflected XSS vulnerability in Shaarli v0.9.1 allows an unauthenticated attacker to inject JavaScript via the searchtags
Cross-site scripting (XSS) vulnerability in Shaarli before 0.8.5 and 0.9.x before 0.9.3 allows remote attackers to injec
Stored XSS in Shaarli's Markdown rendering pipeline (versions 0.16.1 and prior) allows an authenticated user to inject m
Stored XSS in Shaarli's tag filtering functionality permits an authenticated user to inject persistent JavaScript payloa
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today