Shaarli: DOM-based Cross-Site Scripting (XSS) in Thumbnail Synchronizer
Description
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a DOM-based Cross-Site Scripting (XSS) vulnerability in the Thumbnail Synchronizer feature. When an administrator runs the thumbnail update process, malicious bookmark titles are returned via an AJAX response and inserted into the DOM using innerHTML without proper sanitization. The issue originates from the interaction between the backend thumbnail update endpoint and the frontend JavaScript responsible for rendering update progress. On the backend, the ThumbnailsController::ajaxUpdate method returns bookmark data formatted using the 'raw' formatter. This includes the unescaped bookmark title in the JSON response. On the client side, the script thumbnails-update.js processes this AJAX response and dynamically updates the progress interface. Administrators using the thumbnail synchronization feature are affected and exploitation could lead to session hijacking, privilege escalation, backdoor injection and full compromise. This issue has been fixed in version 0.16.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The client-side script thumbnails-update.js uses innerHTML to insert unsanitized bookmark titles from the AJAX response into the DOM."
Attack vector
An attacker creates a bookmark whose title contains a malicious HTML payload (e2e.g. `<img src=x onerror=alert('DOM_XSS')>`). When an administrator later runs the thumbnail synchronization feature, the backend `ThumbnailsController::ajaxUpdate` method returns the unescaped title in a JSON response. The client-side script `thumbnails-update.js` inserts that response into the DOM via `elements.title.innerHTML = response.title`, causing the browser to interpret and execute the embedded JavaScript [ref_id=1]. The attack requires the victim to be an authenticated administrator who triggers the thumbnail update process.
What the fix does
The advisory states the issue is fixed in version 0.16.2 but does not include a patch diff. The fix would need to sanitize the bookmark title before inserting it into the DOM, for example by using `textContent` instead of `innerHTML` or by applying HTML escaping on the server side before returning the JSON response [ref_id=1]. Without sanitization, any HTML or JavaScript embedded in a bookmark title is rendered and executed in the administrator's browser.
Preconditions
- authThe victim must be an authenticated administrator of the Shaarli instance
- inputThe administrator must navigate to /admin/thumbnails and trigger the thumbnail update process
- inputA bookmark with a malicious title must exist in the database
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/shaarli/Shaarli/releases/tag/v0.16.2mitrex_refsource_MISC
- github.com/shaarli/Shaarli/security/advisories/GHSA-mw63-f9qj-c5h3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.