CVE Catalog

CVE-2026-48822

MediumCVSS 5.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

Shaarli is a personal bookmarking service that versions 0.16.1 and prior contain a Cross-Site Scripting (XSS) vulnerability in the Markdown-to-HTML conversion process used in the Bookmark Description field. An authenticated user can inject a malicious javascript: URI inside a Markdown link.

Risk Assessment

This vulnerability allows an attacker to execute malicious JavaScript code in the user's browser context, potentially leading to data theft or session hijacking. Organizations should be aware of the risks associated with using this service in outdated versions.

Recommendation

It is recommended to upgrade to version 0.16.2, which fixes this vulnerability. Additionally, conducting a security audit of the application to identify other potential threats is advisable.

Original NVD description (English source)

Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the Markdown-to-HTML conversion process used in the Bookmark Description field. An authenticated user can inject a malicious javascript: URI inside a Markdown link. The vulnerability originates in the filterProtocols method within BookmarkMarkdownFormatter.php.This method attempts to sanitize Markdown links by filtering dangerous protocols (such as javascript:) before rendering. It uses the following regular expression: (#]\((.*?)\)#is). This regex is designed to detect inline Markdown links, but it fails to detect Markdown reference-style links because reference-style links are resolved by the Markdown parser after preprocessing. The filterProtocols method never inspects the actual URL used in these references and as a result, an attacker can supply a javascript: URI inside a reference definition. This issue has been fixed in version 0.16.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS