Skip to main content

Shaarli CVE-2026-48821

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 GitHub_M
5.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.8 MEDIUM
AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
5.7 MEDIUM

AV:N reflects the web application delivery; AC:H because attack requires a pre-planted malicious bookmark AND an admin-triggered sync event; PR:H for the required administrative trigger; UI:R as the admin must initiate thumbnail synchronization.

3.1 AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 21:31 vuln.today
Analysis Generated
Jun 17, 2026 - 21:31 vuln.today

DescriptionCVE.org

Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a DOM-based Cross-Site Scripting (XSS) vulnerability in the Thumbnail Synchronizer feature. When an administrator runs the thumbnail update process, malicious bookmark titles are returned via an AJAX response and inserted into the DOM using innerHTML without proper sanitization. The issue originates from the interaction between the backend thumbnail update endpoint and the frontend JavaScript responsible for rendering update progress. On the backend, the ThumbnailsController::ajaxUpdate method returns bookmark data formatted using the 'raw' formatter. This includes the unescaped bookmark title in the JSON response. On the client side, the script thumbnails-update.js processes this AJAX response and dynamically updates the progress interface. Administrators using the thumbnail synchronization feature are affected and exploitation could lead to session hijacking, privilege escalation, backdoor injection and full compromise. This issue has been fixed in version 0.16.2.

AnalysisAI

DOM-based XSS in Shaarli's Thumbnail Synchronizer allows stored malicious bookmark titles to execute arbitrary JavaScript in an administrator's browser session when thumbnail synchronization is triggered. Versions 0.16.1 and prior are affected; the root cause is unsanitized innerHTML injection in thumbnails-update.js after the backend's ThumbnailsController::ajaxUpdate returns raw, unescaped bookmark titles via AJAX. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Plant malicious bookmark title in Shaarli DB
Delivery
Admin triggers Thumbnail Synchronizer
Exploit
Backend returns raw unescaped title in AJAX JSON
Execution
thumbnails-update.js injects payload via innerHTML
Persist
XSS payload executes in admin browser
Impact
Exfiltrate session cookie or inject backdoor

Vulnerability AssessmentAI

Exploitation Exploitation requires two concrete preconditions: first, a malicious bookmark title containing an XSS payload must be present in the Shaarli bookmark database - this could be introduced by any user account with bookmark creation privileges or via bulk import of external bookmark data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate but contextually serious for Shaarli deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can create or import a bookmark into a Shaarli instance crafts a title containing a JavaScript payload (e.g., an event-handler-bearing HTML tag). When a Shaarli administrator subsequently navigates to the Thumbnail Synchronizer and initiates the update process, the backend returns the malicious title as raw JSON, and thumbnails-update.js injects it into the page DOM via innerHTML, triggering the payload in the admin's browser session. …
Remediation The primary fix is to upgrade Shaarli to version 0.16.2, released 2026-05-23, which specifically patches thumbnail update DOM insertions alongside other XSS fixes (Awesomplete autocomplete tag encoding and Markdown href protocol sanitization). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48821 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy