Shaarli has Stored Cross-Site Scripting (XSS) via Tags Search
Description
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the tag filtering functionality of Shaarli. An authenticated user can inject arbitrary JavaScript into the tags field when creating a bookmark (Shaare). The malicious payload is stored and later executed when users interact with the "Filter by tag" search feature on the homepage. User-supplied input in the tags field is not properly sanitized or output-escaped before being rendered in the tag filtering interface. When a bookmark is created with a malicious payload inside the tag field, the payload is stored in the database. Later, when a user searches using the "Filter by tag" functionality on the homepage, the application renders matching tags dynamically. If the tag value contains HTML with JavaScript event handlers, it is injected into the DOM. This impacts anyone interacting with the "Filter by tag" search functionality, administrators and privileged users. This issue has been fixed in version 0.16.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"User-supplied input in the tags field is not sanitized or output-escaped before being rendered in the tag filtering interface, allowing stored XSS."
Attack vector
An authenticated attacker creates a bookmark (Shaare) with a malicious payload in the Tags field, such as `<img/src="x"onerror="alert('XSS_In_Tages')">xss` [ref_id=1]. The payload is stored persistently in the database. When any user (including administrators) uses the "Filter by tag" search bar on the homepage and searches for a tag matching the payload, the application renders the tag value dynamically into the DOM without output-escaping, causing the JavaScript event handler to execute [ref_id=1]. This is a stored Cross-Site Scripting (XSS) vulnerability.
Affected code
The vulnerability resides in the tag filtering functionality of Shaarli. User-supplied input in the tags field is not properly sanitized or output-escaped before being rendered in the tag filtering interface [ref_id=1]. When a bookmark is created with a malicious payload inside the tag field, the payload is stored in the database and later injected into the DOM without proper escaping when users interact with the "Filter by tag" search feature [ref_id=1].
What the fix does
The advisory states the issue has been fixed in version 0.16.2 [ref_id=1]. The patch does not show the specific code changes, but the fix would involve properly sanitizing or output-escaping user-supplied input in the tags field before rendering it in the tag filtering interface, preventing HTML and JavaScript from being injected into the DOM.
Preconditions
- authAttacker must be an authenticated user of Shaarli
- inputAttacker must create a bookmark with a malicious payload in the Tags field
- inputA victim user must use the 'Filter by tag' search functionality on the homepage
Reproduction
1. Log in to Shaarli. 2. Add a new link (Shaare). 3. Set any valid URL. 4. Set the Tags field to: `<img/src="x"onerror="alert('XSS_In_Tages')">xss` 5. Save the bookmark. 6. Navigate to the homepage. 7. In the "Filter by tag" search bar, search for: `a ` (note the trailing space). 8. Observe that the JavaScript payload executes immediately. [ref_id=1]
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/shaarli/Shaarli/releases/tag/v0.16.2mitrex_refsource_MISC
- github.com/shaarli/Shaarli/security/advisories/GHSA-68qr-fvv8-6mc6mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.