Primary

Context

Shaarli Reflected Cross-Site Scripting Vulnerability

Vulnerability

Patched

A reflected cross-site scripting vulnerability has been identified in Shaarli versions prior to 0.15.0. The issue arises because the input string on the cloud tag page is not properly sanitized, allowing for the injection of arbitrary HTML or JavaScript. This vulnerability has been patched in version 0.15.0.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, visit the cloud tag page and inject a payload into the searchtags parameter that includes a </title> tag followed by a script, such as an image tag with an onerror attribute. This will trigger a JavaScript alert by breaking out of the title context and executing the injected script.

Remediation

Users can upgrade to Shaarli version 0.15.0 or later to address this vulnerability.

Added: Aug 18, 2025, 5:17 PM

Updated: Aug 18, 2025, 5:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

1.7

exploitability

7.7

remediation

7.7

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

1.7

exploitability

7.7

remediation

7.7

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Shaarli Reflected Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Shaarli

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating