Search
Find a vulnerability
Search criteria
6 vulnerabilities by Shaarli
CVE-2026-48821 (GCVE-0-2026-48821)
Vulnerability from cvelistv5 – Published: 2026-06-17 20:33 – Updated: 2026-06-18 12:57
VLAI
Title
Shaarli: DOM-based Cross-Site Scripting (XSS) in Thumbnail Synchronizer
Summary
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a DOM-based Cross-Site Scripting (XSS) vulnerability in the Thumbnail Synchronizer feature. When an administrator runs the thumbnail update process, malicious bookmark titles are returned via an AJAX response and inserted into the DOM using innerHTML without proper sanitization. The issue originates from the interaction between the backend thumbnail update endpoint and the frontend JavaScript responsible for rendering update progress. On the backend, the ThumbnailsController::ajaxUpdate method returns bookmark data formatted using the 'raw' formatter. This includes the unescaped bookmark title in the JSON response. On the client side, the script thumbnails-update.js processes this AJAX response and dynamically updates the progress interface. Administrators using the thumbnail synchronization feature are affected and exploitation could lead to session hijacking, privilege escalation, backdoor injection and full compromise. This issue has been fixed in version 0.16.2.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/shaarli/Shaarli/security/advis… | x_refsource_CONFIRM |
| https://github.com/shaarli/Shaarli/releases/tag/v0.16.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48821",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:56:58.369827Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:57:01.649Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-mw63-f9qj-c5h3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Shaarli",
"vendor": "shaarli",
"versions": [
{
"status": "affected",
"version": "\u003c 0.16.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a DOM-based Cross-Site Scripting (XSS) vulnerability in the Thumbnail Synchronizer feature. When an administrator runs the thumbnail update process, malicious bookmark titles are returned via an AJAX response and inserted into the DOM using innerHTML without proper sanitization. The issue originates from the interaction between the backend thumbnail update endpoint and the frontend JavaScript responsible for rendering update progress. On the backend, the ThumbnailsController::ajaxUpdate method returns bookmark data formatted using the \u0027raw\u0027 formatter. This includes the unescaped bookmark title in the JSON response. On the client side, the script thumbnails-update.js processes this AJAX response and dynamically updates the progress interface. Administrators using the thumbnail synchronization feature are affected and exploitation could lead to session hijacking, privilege escalation, backdoor injection and full compromise. This issue has been fixed in version 0.16.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T20:33:31.230Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-mw63-f9qj-c5h3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-mw63-f9qj-c5h3"
},
{
"name": "https://github.com/shaarli/Shaarli/releases/tag/v0.16.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.16.2"
}
],
"source": {
"advisory": "GHSA-mw63-f9qj-c5h3",
"discovery": "UNKNOWN"
},
"title": "Shaarli: DOM-based Cross-Site Scripting (XSS) in Thumbnail Synchronizer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48821",
"datePublished": "2026-06-17T20:33:31.230Z",
"dateReserved": "2026-05-22T20:57:10.977Z",
"dateUpdated": "2026-06-18T12:57:01.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48823 (GCVE-0-2026-48823)
Vulnerability from cvelistv5 – Published: 2026-06-17 20:06 – Updated: 2026-06-18 12:56
VLAI
Title
Shaarli has Stored Cross-Site Scripting (XSS) via Tags Search
Summary
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the tag filtering functionality of Shaarli. An authenticated user can inject arbitrary JavaScript into the tags field when creating a bookmark (Shaare). The malicious payload is stored and later executed when users interact with the "Filter by tag" search feature on the homepage. User-supplied input in the tags field is not properly sanitized or output-escaped before being rendered in the tag filtering interface. When a bookmark is created with a malicious payload inside the tag field, the payload is stored in the database. Later, when a user searches using the "Filter by tag" functionality on the homepage, the application renders matching tags dynamically. If the tag value contains HTML with JavaScript event handlers, it is injected into the DOM. This impacts anyone interacting with the "Filter by tag" search functionality, administrators and privileged users. This issue has been fixed in version 0.16.2.
Severity
4.8 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/shaarli/Shaarli/security/advis… | x_refsource_CONFIRM |
| https://github.com/shaarli/Shaarli/releases/tag/v0.16.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48823",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:56:46.297724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:56:49.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-68qr-fvv8-6mc6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Shaarli",
"vendor": "shaarli",
"versions": [
{
"status": "affected",
"version": "\u003c 0.16.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the tag filtering functionality of Shaarli. An authenticated user can inject arbitrary JavaScript into the tags field when creating a bookmark (Shaare). The malicious payload is stored and later executed when users interact with the \"Filter by tag\" search feature on the homepage. User-supplied input in the tags field is not properly sanitized or output-escaped before being rendered in the tag filtering interface. When a bookmark is created with a malicious payload inside the tag field, the payload is stored in the database. Later, when a user searches using the \"Filter by tag\" functionality on the homepage, the application renders matching tags dynamically. If the tag value contains HTML with JavaScript event handlers, it is injected into the DOM. This impacts anyone interacting with the \"Filter by tag\" search functionality, administrators and privileged users. This issue has been fixed in version 0.16.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T20:06:05.616Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-68qr-fvv8-6mc6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-68qr-fvv8-6mc6"
},
{
"name": "https://github.com/shaarli/Shaarli/releases/tag/v0.16.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.16.2"
}
],
"source": {
"advisory": "GHSA-68qr-fvv8-6mc6",
"discovery": "UNKNOWN"
},
"title": "Shaarli has Stored Cross-Site Scripting (XSS) via Tags Search"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48823",
"datePublished": "2026-06-17T20:06:05.616Z",
"dateReserved": "2026-05-22T20:57:10.977Z",
"dateUpdated": "2026-06-18T12:56:49.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48822 (GCVE-0-2026-48822)
Vulnerability from cvelistv5 – Published: 2026-06-17 19:59 – Updated: 2026-06-18 15:42
VLAI
Title
Shaarli has Stored Cross-Site Scripting (XSS) via Markdown Reference Links
Summary
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the Markdown-to-HTML conversion process used in the Bookmark Description field. An authenticated user can inject a malicious javascript: URI inside a Markdown link. The vulnerability originates in the filterProtocols method within BookmarkMarkdownFormatter.php.This method attempts to sanitize Markdown links by filtering dangerous protocols (such as javascript:) before rendering. It uses the following regular expression: (#]\((.*?)\)#is). This regex is designed to detect inline Markdown links, but it fails to detect Markdown reference-style links because reference-style links are resolved by the Markdown parser after preprocessing. The filterProtocols method never inspects the actual URL used in these references and as a result, an attacker can supply a javascript: URI inside a reference definition. This issue has been fixed in version 0.16.2.
Severity
5.8 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/shaarli/Shaarli/security/advis… | x_refsource_CONFIRM |
| https://github.com/shaarli/Shaarli/releases/tag/v0.16.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48822",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:35:27.903553Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:42:42.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-2hgr-63wv-x462"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Shaarli",
"vendor": "shaarli",
"versions": [
{
"status": "affected",
"version": "\u003c 0.16.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the Markdown-to-HTML conversion process used in the Bookmark Description field. An authenticated user can inject a malicious javascript: URI inside a Markdown link. The vulnerability originates in the filterProtocols method within BookmarkMarkdownFormatter.php.This method attempts to sanitize Markdown links by filtering dangerous protocols (such as javascript:) before rendering. It uses the following regular expression: (#]\\((.*?)\\)#is). This regex is designed to detect inline Markdown links, but it fails to detect Markdown reference-style links because reference-style links are resolved by the Markdown parser after preprocessing. The filterProtocols method never inspects the actual URL used in these references and as a result, an attacker can supply a javascript: URI inside a reference definition. This issue has been fixed in version 0.16.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T19:59:34.277Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-2hgr-63wv-x462",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-2hgr-63wv-x462"
},
{
"name": "https://github.com/shaarli/Shaarli/releases/tag/v0.16.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shaarli/Shaarli/releases/tag/v0.16.2"
}
],
"source": {
"advisory": "GHSA-2hgr-63wv-x462",
"discovery": "UNKNOWN"
},
"title": "Shaarli has Stored Cross-Site Scripting (XSS) via Markdown Reference Links"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48822",
"datePublished": "2026-06-17T19:59:34.277Z",
"dateReserved": "2026-05-22T20:57:10.977Z",
"dateUpdated": "2026-06-18T15:42:42.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24476 (GCVE-0-2026-24476)
Vulnerability from cvelistv5 – Published: 2026-01-26 22:26 – Updated: 2026-01-27 15:20
VLAI
Title
Shaarli vulnerable to stored XSS via Suggested Tags
Summary
Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/shaarli/Shaarli/security/advis… | x_refsource_CONFIRM |
| https://github.com/shaarli/Shaarli/commit/b854c78… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24476",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T15:19:45.323810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T15:20:27.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Shaarli",
"vendor": "shaarli",
"versions": [
{
"status": "affected",
"version": "\u003c 0.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `\"` prematurely ends the `\u003cinput\u003e` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T22:26:59.886Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg"
},
{
"name": "https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063"
}
],
"source": {
"advisory": "GHSA-g3xq-mj52-f8pg",
"discovery": "UNKNOWN"
},
"title": "Shaarli vulnerable to stored XSS via Suggested Tags"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24476",
"datePublished": "2026-01-26T22:26:59.886Z",
"dateReserved": "2026-01-23T00:38:20.547Z",
"dateUpdated": "2026-01-27T15:20:27.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55291 (GCVE-0-2025-55291)
Vulnerability from cvelistv5 – Published: 2025-08-18 17:06 – Updated: 2025-08-18 19:56
VLAI
Title
Shaarli allows reflected XSS via searchtags parameter
Summary
Shaarli is a minimalist bookmark manager and link sharing service. Prior to 0.15.0, the input string in the cloud tag page is not properly sanitized. This allows the </title> tag to be prematurely closed, leading to a reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability is fixed in 0.15.0.
Severity
7.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/shaarli/Shaarli/security/advis… | x_refsource_CONFIRM |
| https://github.com/shaarli/Shaarli/commit/66faa61… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55291",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T19:56:12.894520Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T19:56:41.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Shaarli",
"vendor": "shaarli",
"versions": [
{
"status": "affected",
"version": "\u003c 0.15.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Shaarli is a minimalist bookmark manager and link sharing service. Prior to 0.15.0, the input string in the cloud tag page is not properly sanitized. This allows the \u003c/title\u003e tag to be prematurely closed, leading to a reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability is fixed in 0.15.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-87",
"description": "CWE-87: Improper Neutralization of Alternate XSS Syntax",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T17:06:35.799Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-7w7w-pw4j-265h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-7w7w-pw4j-265h"
},
{
"name": "https://github.com/shaarli/Shaarli/commit/66faa61335a6e72184be64092ff1242ffa4fe5b6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shaarli/Shaarli/commit/66faa61335a6e72184be64092ff1242ffa4fe5b6"
}
],
"source": {
"advisory": "GHSA-7w7w-pw4j-265h",
"discovery": "UNKNOWN"
},
"title": "Shaarli allows reflected XSS via searchtags parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55291",
"datePublished": "2025-08-18T17:06:35.799Z",
"dateReserved": "2025-08-12T16:15:30.237Z",
"dateUpdated": "2025-08-18T19:56:41.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-7351 (GCVE-0-2013-7351)
Vulnerability from cvelistv5 – Published: 2020-01-02 19:42 – Updated: 2024-08-06 18:01
VLAI
Summary
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Shaarli allow remote attackers to inject arbitrary web script or HTML via the URL to the (1) showRSS, (2) showATOM, or (3) showDailyRSS function; a (4) file name to the importFile function; or (5) vectors related to bookmarks.
Severity
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/sebsauvage/Shaarli/commit/53da… | x_refsource_CONFIRM |
| https://github.com/sebsauvage/Shaarli/issues/134 | x_refsource_CONFIRM |
| http://seclists.org/oss-sec/2014/q2/1 | x_refsource_MISC |
| http://seclists.org/oss-sec/2014/q2/4 | x_refsource_MISC |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | x_refsource_MISC |
Impacted products
Date Public
2013-10-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:01:20.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sebsauvage/Shaarli/issues/134"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q2/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q2/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92215"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Shaarli",
"vendor": "Shaarli",
"versions": [
{
"status": "affected",
"version": "before 53da201749f8f362323ef278bf338f1d9f7a925a"
}
]
}
],
"datePublic": "2013-10-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in index.php in Shaarli allow remote attackers to inject arbitrary web script or HTML via the URL to the (1) showRSS, (2) showATOM, or (3) showDailyRSS function; a (4) file name to the importFile function; or (5) vectors related to bookmarks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-02T19:42:16.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sebsauvage/Shaarli/issues/134"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2014/q2/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2014/q2/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92215"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2013-7351",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Shaarli",
"version": {
"version_data": [
{
"version_value": "before 53da201749f8f362323ef278bf338f1d9f7a925a"
}
]
}
}
]
},
"vendor_name": "Shaarli"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in index.php in Shaarli allow remote attackers to inject arbitrary web script or HTML via the URL to the (1) showRSS, (2) showATOM, or (3) showDailyRSS function; a (4) file name to the importFile function; or (5) vectors related to bookmarks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a",
"refsource": "CONFIRM",
"url": "https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a"
},
{
"name": "https://github.com/sebsauvage/Shaarli/issues/134",
"refsource": "CONFIRM",
"url": "https://github.com/sebsauvage/Shaarli/issues/134"
},
{
"name": "http://seclists.org/oss-sec/2014/q2/1",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2014/q2/1"
},
{
"name": "http://seclists.org/oss-sec/2014/q2/4",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2014/q2/4"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92215",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92215"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2013-7351",
"datePublished": "2020-01-02T19:42:16.000Z",
"dateReserved": "2014-04-01T00:00:00.000Z",
"dateUpdated": "2024-08-06T18:01:20.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}