CVE-2026-48822
Deferred Deferred - Pending Action
Stored XSS in Shaarli Bookmarking Service

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the Markdown-to-HTML conversion process used in the Bookmark Description field. An authenticated user can inject a malicious javascript: URI inside a Markdown link. The vulnerability originates in the filterProtocols method within BookmarkMarkdownFormatter.php.This method attempts to sanitize Markdown links by filtering dangerous protocols (such as javascript:) before rendering. It uses the following regular expression: (#]\((.*?)\)#is). This regex is designed to detect inline Markdown links, but it fails to detect Markdown reference-style links because reference-style links are resolved by the Markdown parser after preprocessing. The filterProtocols method never inspects the actual URL used in these references and as a result, an attacker can supply a javascript: URI inside a reference definition. This issue has been fixed in version 0.16.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-48822
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shaarli shaarli to 0.16.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Shaarli, a personal bookmarking service, in versions 0.16.1 and earlier. It is a stored Cross-Site Scripting (XSS) vulnerability that occurs during the Markdown-to-HTML conversion process in the Bookmark Description field.

An authenticated user can inject a malicious javascript: URI inside a Markdown link. The vulnerability arises because the filterProtocols method, which is supposed to sanitize Markdown links by filtering dangerous protocols like javascript:, uses a regular expression that only detects inline Markdown links but fails to detect reference-style Markdown links.

Since the filterProtocols method does not inspect the actual URLs used in reference-style links, an attacker can supply a malicious javascript: URI inside a reference definition, which then gets executed when the Markdown is rendered.

This issue was fixed in version 0.16.2 of Shaarli.

Impact Analysis

This stored Cross-Site Scripting (XSS) vulnerability can allow an authenticated attacker to inject malicious JavaScript code into the Bookmark Description field.

When other users view the affected bookmark, the malicious script can execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or performing actions on behalf of the victim user.

Because the vulnerability requires authenticated access and user interaction (UI:R), the risk is somewhat limited but still significant, especially in environments where multiple users share access to the Shaarli service.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Shaarli to version 0.16.2 or later, as this version contains the fix for the stored Cross-Site Scripting (XSS) issue in the Markdown-to-HTML conversion process.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48822. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart