Moderate severityNVD Advisory· Published Feb 7, 2023· Updated Mar 25, 2025
Cross-site Scripting (XSS) - Stored in wallabag/wallabag
CVE-2023-0736
Description
Cross-site Scripting (XSS) - Stored in GitHub repository wallabag/wallabag prior to 2.5.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wallabag/wallabagPackagist | < 2.5.4 | 2.5.4 |
Affected products
1- Range: unspecified
Patches
14e023bddc362Merge pull request #6288 from wallabag/2.5/xss-username-share-page
1 file changed · +1 −1
src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig+1 −1 modified@@ -28,7 +28,7 @@ <header class="block"> <h1>{{ entry.title|e|raw }}</h1> <a href="{{ entry.url|e }}" target="_blank" rel="noopener" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e|raw }}" class="tool">{{ entry.domainName|removeWww }}</a> - <p class="shared-by">{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage'), '%username%': entry.user.username})|raw }}.</p> + <p class="shared-by">{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage'), '%username%': entry.user.username|escape})|raw }}.</p> </header> <article class="block"> {{ entry.content | raw }}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.