Moderate severityNVD Advisory· Published Jan 18, 2022· Updated Apr 22, 2025

Cross-Site Scripting in Onionshare

CVE-2022-21690

Description

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions The path parameter of the requested URL is not sanitized before being passed to the QT frontend. This path is used in all components for displaying the server access history. This leads to a rendered HTML4 Subset (QT RichText editor) in the Onionshare frontend.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
onionshare-cliPyPI	< 2.5	2.5

Affected products

Onionshare/Onionsharev5
Range: < 2.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-ch22-x2v3-v6vqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-21690ghsaADVISORY
github.com/onionshare/onionshare/releases/tag/v2.5ghsax_refsource_MISCWEB
github.com/onionshare/onionshare/security/advisories/GHSA-ch22-x2v3-v6vqghsax_refsource_CONFIRMWEB
github.com/pypa/advisory-database/tree/main/vulns/onionshare-cli/PYSEC-2022-41.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000