CVE-2026-48823
Deferred Deferred - Pending Action

Stored XSS in Shaarli Bookmarking Service

Vulnerability report for CVE-2026-48823, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-18

Assigner: GitHub, Inc.

Description

Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the tag filtering functionality of Shaarli. An authenticated user can inject arbitrary JavaScript into the tags field when creating a bookmark (Shaare). The malicious payload is stored and later executed when users interact with the "Filter by tag" search feature on the homepage. User-supplied input in the tags field is not properly sanitized or output-escaped before being rendered in the tag filtering interface. When a bookmark is created with a malicious payload inside the tag field, the payload is stored in the database. Later, when a user searches using the "Filter by tag" functionality on the homepage, the application renders matching tags dynamically. If the tag value contains HTML with JavaScript event handlers, it is injected into the DOM. This impacts anyone interacting with the "Filter by tag" search functionality, administrators and privileged users. This issue has been fixed in version 0.16.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-18
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-06
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
shaarli shaarli to 0.16.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can impact users by allowing attackers to execute arbitrary JavaScript code in the context of the affected application. This can lead to theft of sensitive information such as session cookies, unauthorized actions performed on behalf of users, or other malicious activities. Both administrators and privileged users who interact with the "Filter by tag" feature are at risk. The impact includes potential compromise of confidentiality and integrity of user data.

Mitigation Strategies

To mitigate this vulnerability, upgrade Shaarli to version 0.16.2 or later, where the stored Cross-Site Scripting (XSS) issue in the tag filtering functionality has been fixed.

Avoid using the "Filter by tag" search feature with untrusted or suspicious tags until the upgrade is applied.

Compliance Impact

The vulnerability is a stored Cross-Site Scripting (XSS) issue in Shaarli versions 0.16.1 and prior, allowing authenticated users to inject arbitrary JavaScript into the tags field. This can lead to unauthorized script execution when users interact with the tag filtering functionality.

Such XSS vulnerabilities can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access or exposure of sensitive user data, compromise user privacy, and violate requirements for protecting personal information.

Specifically, GDPR mandates appropriate technical measures to ensure data security and prevent unauthorized processing, while HIPAA requires safeguards to protect electronic protected health information (ePHI). An XSS vulnerability could be exploited to bypass these safeguards.

Therefore, this vulnerability could negatively affect compliance with these regulations until it is remediated, as it exposes the application to potential data breaches or unauthorized actions.

Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue found in Shaarli versions 0.16.1 and earlier. It occurs in the tag filtering functionality where an authenticated user can inject arbitrary JavaScript code into the tags field when creating a bookmark. The malicious script is stored in the database and later executed when users interact with the "Filter by tag" search feature on the homepage. This happens because user input in the tags field is not properly sanitized or escaped before being displayed, allowing the injected script to run in the context of other users.

Detection Guidance

This vulnerability involves stored Cross-Site Scripting (XSS) in the tag filtering functionality of Shaarli versions 0.16.1 and prior. Detection involves checking for malicious JavaScript payloads stored in the tags field of bookmarks.

To detect this vulnerability on your system, you can:

  • Review the tags stored in the Shaarli database for suspicious or unexpected JavaScript code or HTML event handlers.
  • Use database query commands to extract tags and inspect them for script tags or event handler attributes (e.g., onclick, onmouseover). For example, if using SQLite, you might run a query like: SELECT tags FROM bookmarks WHERE tags LIKE '%<script%' OR tags LIKE '%on%=%';
  • Manually test the "Filter by tag" feature in the Shaarli web interface by inputting tags containing JavaScript payloads to see if they execute.

Note that this vulnerability requires authenticated access to create malicious tags, so detection commands should be run with appropriate permissions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48823. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart