CVE-2026-24476

EUVD-2026-4824
Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Affected Products (NVD)
VendorProductVersion
shaarli_projectshaarli
𝑥
< 0.16.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
shaarli
bookworm
vulnerable
bookworm (security)
0.12.1+dfsg-8+deb12u2
fixed
forky
0.16.1+dfsg-1
fixed
sid
0.16.1+dfsg-1
fixed
trixie
vulnerable
trixie (security)
0.14.0+dfsg-2+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
shaarli
jammy
dne
noble
dne
questing
dne
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063
https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg