CVE-2026-48823
Deferred Deferred - Pending Action
Stored XSS in Shaarli Bookmarking Service

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the tag filtering functionality of Shaarli. An authenticated user can inject arbitrary JavaScript into the tags field when creating a bookmark (Shaare). The malicious payload is stored and later executed when users interact with the "Filter by tag" search feature on the homepage. User-supplied input in the tags field is not properly sanitized or output-escaped before being rendered in the tag filtering interface. When a bookmark is created with a malicious payload inside the tag field, the payload is stored in the database. Later, when a user searches using the "Filter by tag" functionality on the homepage, the application renders matching tags dynamically. If the tag value contains HTML with JavaScript event handlers, it is injected into the DOM. This impacts anyone interacting with the "Filter by tag" search functionality, administrators and privileged users. This issue has been fixed in version 0.16.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-48823
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shaarli shaarli to 0.16.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue found in Shaarli versions 0.16.1 and earlier. It occurs in the tag filtering functionality where an authenticated user can inject arbitrary JavaScript code into the tags field when creating a bookmark. The malicious script is stored in the database and later executed when users interact with the "Filter by tag" search feature on the homepage. This happens because user input in the tags field is not properly sanitized or escaped before being displayed, allowing the injected script to run in the context of other users.

Impact Analysis

This vulnerability can impact users by allowing attackers to execute arbitrary JavaScript code in the context of the affected application. This can lead to theft of sensitive information such as session cookies, unauthorized actions performed on behalf of users, or other malicious activities. Both administrators and privileged users who interact with the "Filter by tag" feature are at risk. The impact includes potential compromise of confidentiality and integrity of user data.

Mitigation Strategies

To mitigate this vulnerability, upgrade Shaarli to version 0.16.2 or later, where the stored Cross-Site Scripting (XSS) issue in the tag filtering functionality has been fixed.

Avoid using the "Filter by tag" search feature with untrusted or suspicious tags until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48823. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart