PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48823 shaarli CVE debrief

CVE-2026-48823 is a stored Cross-Site Scripting (XSS) vulnerability in Shaarli's tag filtering functionality. An authenticated user can inject arbitrary JavaScript into the tags field when creating a bookmark. The malicious payload is stored and later executed when users interact with the 'Filter by tag' search feature on the homepage. User-supplied input in the tags field is not properly sanitized or output-escaped before being rendered in the tag filtering interface.

Vendor
shaarli
Product
Unknown
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-18
Advisory published
2026-06-17
Advisory updated
2026-06-18

Who should care

Administrators and users of Shaarli version 0.16.1 and prior should apply the patch to prevent exploitation of this vulnerability. This issue has been fixed in version 0.16.2. Affected operators should review their deployments and ensure that an owner is assigned for follow-up. Vulnerability management and security teams should prioritize patching and verify the integrity of affected systems.

Technical summary

Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the tag filtering functionality of Shaarli. An authenticated user can inject arbitrary JavaScript into the tags field when creating a bookmark (Shaare). The malicious payload is stored and later executed when users interact with the 'Filter by tag' search feature on the homepage. User-supplied input in the tags field is not properly sanitized or output-escaped before being rendered in the tag filtering interface.

Defensive priority

Medium priority given the CVSS score of 4.8 and the potential impact on users interacting with the 'Filter by tag' search functionality.

Recommended defensive actions

  • Apply the patch by upgrading to Shaarli version 0.16.2 or later
  • Review and sanitize user-supplied input in the tags field
  • Implement output-escaping for rendered tags in the tag filtering interface
  • Monitor for suspicious activity related to the 'Filter by tag' search feature
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-06-17T20:17:23.210Z and has not been modified since then. The NVD entry is currently Deferred. Evidence is limited to the official CVE record and NVD entry. Defenders should verify the affected scope and severity based on the official advisory. The patch is available in version 0.16.2, and users should review and sanitize user-supplied input in the tags field.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T20:17:23.210Z and has not been modified since then. The NVD entry is currently Deferred.