VYPR
Get started
← All advisories
High severity7.1OSV Advisory· Published Aug 18, 2025· Updated Apr 15, 2026

CVE-2025-55291

CVE-2025-55291

Description

Shaarli is a minimalist bookmark manager and link sharing service. Prior to 0.15.0, the input string in the cloud tag page is not properly sanitized. This allows the </title> tag to be prematurely closed, leading to a reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability is fixed in 0.15.0.

Affected products

1

Patches

2
357ca3ae640a

bump Shaarli version to v0.15.0

https://github.com/shaarli/shaarlinodisccAug 16, 2025via osv
commit
4 files changed · +9 6
  • CHANGELOG.md+4 1 modified
    @@ -6,7 +6,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ------------------------
 
-## [v0.15.0](https://github.com/shaarli/Shaarli/releases/tag/v0.15.0) - UNRELEASED
+## [v0.15.0](https://github.com/shaarli/Shaarli/releases/tag/v0.15.0) - 2025-08-16
 
 ### Added
 
@@ -32,6 +32,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 * fix reflected XSS via searchtags parameter*
 * keep private links number private
 
+**Full Changelog**: https://github.com/shaarli/Shaarli/compare/v0.14.0...v0.15.0
+
+
 ------------------------
 
 ## [v0.14.0](https://github.com/shaarli/Shaarli/releases/tag/v0.14.0) - 2024-12-08
  • doc/conf.py+2 2 modified
    @@ -2,8 +2,8 @@
 # https://www.sphinx-doc.org/en/master/usage/configuration.html
 project = 'shaarli'
 author = 'shaarli community'
-version = '0.12.2'
-release = '0.12.2'
+version = '0.15.0'
+release = '0.15.0'
 copyright = '2011-2023, the shaarli community'
 language = 'en'
 html_title = 'Shaarli documentation'
  • README.md+2 2 modified
    @@ -6,8 +6,8 @@ _Do you want to share the links you discover?_
 _Shaarli is a minimalist link sharing service that you can install on your own server._
 _It is designed to be personal (single-user), fast and handy._
 
-[![](https://img.shields.io/badge/release-v0.14.0-blue.svg)](https://github.com/shaarli/Shaarli/releases/tag/v0.14.0)
-[![](https://img.shields.io/badge/master-v0.14.x-blue.svg)](https://github.com/shaarli/Shaarli)
+[![](https://img.shields.io/badge/release-v0.15.0-blue.svg)](https://github.com/shaarli/Shaarli/releases/tag/v0.15.0)
+[![](https://img.shields.io/badge/master-v0.15.x-blue.svg)](https://github.com/shaarli/Shaarli)
 [![](https://github.com/shaarli/Shaarli/actions/workflows/ci.yml/badge.svg)](https://github.com/shaarli/Shaarli/actions)
 [![](https://github.com/shaarli/Shaarli/actions/workflows/trivy-release.yml/badge.svg)](https://github.com/shaarli/Shaarli/actions)
 [![Join the chat at https://gitter.im/shaarli/Shaarli](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/shaarli/Shaarli)
  • shaarli_version.php+1 1 modified
    @@ -1 +1 @@
-<?php /* dev */ ?>
+<?php /* 0.15.0 */ ?>
66faa61335a6

Merge pull request #2157 from nodiscc/fix-GHSA-7w7w-pw4j-265h

https://github.com/shaarli/shaarlinodisccAug 16, 2025via osv
commit
1 file changed · +1 1
  • application/front/controller/visitor/TagCloudController.php+1 1 modified
    @@ -87,7 +87,7 @@ protected function processRequest(string $type, Request $request, Response $resp
         $searchTags = !empty($searchTags) ? trim(str_replace($tagsSeparator, ' ', $searchTags)) . ' - ' : '';
         $this->assignView(
             'pagetitle',
-            $searchTags . t('Tag ' . $type) . ' - ' . $this->container->conf->get('general.title', 'Shaarli')
+            escape($searchTags) . t('Tag ' . $type) . ' - ' . $this->container->conf->get('general.title', 'Shaarli')
         );
 
         return $response->write($this->render('tag.' . $type));

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.