CVE-2026-48821
Received Received - Intake
DOM-based XSS in Shaarli Thumbnail Synchronizer

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a DOM-based Cross-Site Scripting (XSS) vulnerability in the Thumbnail Synchronizer feature. When an administrator runs the thumbnail update process, malicious bookmark titles are returned via an AJAX response and inserted into the DOM using innerHTML without proper sanitization. The issue originates from the interaction between the backend thumbnail update endpoint and the frontend JavaScript responsible for rendering update progress. On the backend, the ThumbnailsController::ajaxUpdate method returns bookmark data formatted using the 'raw' formatter. This includes the unescaped bookmark title in the JSON response. On the client side, the script thumbnails-update.js processes this AJAX response and dynamically updates the progress interface. Administrators using the thumbnail synchronization feature are affected and exploitation could lead to session hijacking, privilege escalation, backdoor injection and full compromise. This issue has been fixed in version 0.16.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-48821
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
shaarli shaarli to 0.16.2 (exc)
shaarli shaarli 0.16.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a DOM-based Cross-Site Scripting (XSS) issue found in Shaarli versions 0.16.1 and earlier, specifically in the Thumbnail Synchronizer feature.

When an administrator runs the thumbnail update process, malicious bookmark titles are returned via an AJAX response and inserted into the webpage's DOM using innerHTML without proper sanitization.

The problem arises because the backend returns bookmark data with unescaped titles in JSON, and the frontend JavaScript dynamically updates the interface by directly inserting this data, allowing malicious scripts to execute.

Impact Analysis

Exploitation of this vulnerability can lead to serious security consequences including session hijacking, privilege escalation, backdoor injection, and potentially full system compromise.

Since the vulnerability affects administrators using the thumbnail synchronization feature, attackers could leverage it to gain elevated access or control over the system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Shaarli to version 0.16.2 or later, where the issue has been fixed.

Avoid running the thumbnail synchronization feature until the upgrade is applied, as this feature is the vector for the DOM-based XSS vulnerability.

Compliance Impact

The vulnerability in Shaarli versions 0.16.1 and prior is a DOM-based Cross-Site Scripting (XSS) issue that can lead to session hijacking, privilege escalation, backdoor injection, and full compromise when an administrator runs the thumbnail update process.

Such security issues can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access to sensitive data or administrative functions, violating requirements for data protection, confidentiality, and integrity.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48821. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart