{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24476", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T00:38:20.547Z", "datePublished": "2026-01-26T22:26:59.886Z", "dateUpdated": "2026-01-27T15:20:27.830Z"}, "containers": {"cna": {"title": "Shaarli vulnerable to stored XSS via Suggested Tags", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg"}, {"name": "https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063", "tags": ["x_refsource_MISC"], "url": "https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063"}], "affected": [{"vendor": "shaarli", "product": "Shaarli", "versions": [{"version": "< 0.16.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:26:59.886Z"}, "descriptions": [{"lang": "en", "value": "Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `\"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue."}], "source": {"advisory": "GHSA-g3xq-mj52-f8pg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T15:19:45.323810Z", "id": "CVE-2026-24476", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T15:20:27.830Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24476", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T15:19:45.323810Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T15:20:15.443Z"}}], "cna": {"title": "Shaarli vulnerable to stored XSS via Suggested Tags", "source": {"advisory": "GHSA-g3xq-mj52-f8pg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "shaarli", "product": "Shaarli", "versions": [{"status": "affected", "version": "< 0.16.0"}]}], "references": [{"url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg", "name": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063", "name": "https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `\"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:26:59.886Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24476", "state": "PUBLISHED", "dateUpdated": "2026-01-27T15:20:27.830Z", "dateReserved": "2026-01-23T00:38:20.547Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-26T22:26:59.886Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shaarli_project:shaarli:*:*:*:*:*:*:*:*", "matchCriteriaId": "648ADAFF-B886-4426-BD9A-C67B4B839AA4", "versionEndExcluding": "0.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `\"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue."}], "id": "CVE-2026-24476", "lastModified": "2026-02-17T20:45:33.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-26T23:16:09.283", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:50:12.621321+00:00", "value": {"mitigation_remediation": ["Upgrade to Shaarli 0.16.0 or later, which removes the double\u2011quote parsing bug and sanitizes tag input.", "If upgrading cannot be performed immediately, disable the suggested tags feature or restrict tag creation to administrators only to stop new malicious tags from being added.", "Apply input sanitization manually by escaping quotation marks in existing tags or by performing a database cleanup to replace problematic tag values before the application starts up."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross-Site Scripting via Suggested Tags"}, "threat_synthesis": {"affected_systems": "Shaarli personal bookmarking service versions older than 0.16.0. All installations prior to this release, regardless of deployment environment, are susceptible as they lack the input sanitization fix introduced in 0.16.0.", "description_and_impact": "The vulnerability allows an attacker to inject arbitrary HTML through a tag that begins with a double quote. This prematurely closes the input element on the start page, enabling the injection of malicious code and resulting in a stored cross-site scripting flaw. The weakness a classic input validation failure identified as CWE\u201179. Attackers who can create or edit tags can embed scripts that execute in the browsers of anyone who views the affected page, potentially compromising account credentials or performing session hijacking, thereby affecting confidentiality and integrity of the system. The impact scope covers all users who access the blogging or bookmarking interface, potentially rendering the service unusable for legitimate visitors.", "risk_and_exploitability": "The CVSS v3 score of 5.3 indicates moderate severity, while the EPSS value of less than 1% suggests low current exploit probability. The vulnerability is not listed in the CISA KEV catalog, implying it is not actively exploited in the wild. The likely attack vector involves an attacker creating a malicious tag via the suggested tags feature; this requires write access to tag data. Once injected, the payload is stored and delivered to subsequent users who view the page, making it a classic stored XSS scenario."}}}}, "created": "2026-01-27T09:03:06.466339+00:00", "updated": "2026-04-18T19:00:08.037086+00:00", "vendors": ["shaarli_project", "shaarli_project$PRODUCT$shaarli"]}