CVE-2026-24476 - Vulnerability Details

Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue.

Attack Vector Local

Attack Complexity High

Privileges Required High

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063
https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg

History

Mon, 26 Jan 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue.
Title		Shaarli vulnerable to stored XSS via Suggested Tags
Weaknesses		CWE-79
References		https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063 https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-26T22:26:59.886Z

Updated: 2026-01-26T22:26:59.886Z

Reserved: 2026-01-23T00:38:20.547Z

Link: CVE-2026-24476

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-01-26T23:16:09.283

Modified: 2026-01-26T23:16:09.283

Link: CVE-2026-24476

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required High

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object