DEBIAN-CVE-2026-48822

Source
https://security-tracker.debian.org/tracker/CVE-2026-48822
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48822.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-48822
Upstream
Published
2026-06-17T20:17:23.060Z
Modified
2026-06-18T11:00:07.784181312Z
Severity
  • 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the Markdown-to-HTML conversion process used in the Bookmark Description field. An authenticated user can inject a malicious javascript: URI inside a Markdown link. The vulnerability originates in the filterProtocols method within BookmarkMarkdownFormatter.php.This method attempts to sanitize Markdown links by filtering dangerous protocols (such as javascript:) before rendering. It uses the following regular expression: (#]((.*?))#is). This regex is designed to detect inline Markdown links, but it fails to detect Markdown reference-style links because reference-style links are resolved by the Markdown parser after preprocessing. The filterProtocols method never inspects the actual URL used in these references and as a result, an attacker can supply a javascript: URI inside a reference definition. This issue has been fixed in version 0.16.2.

References

Affected packages

Debian:12 / shaarli

Package

Name
shaarli
Purl
pkg:deb/debian/shaarli?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.12.1+dfsg-8
0.12.1+dfsg-8+deb12u1
0.12.1+dfsg-8+deb12u2
0.13.0+dfsg-1
0.13.0+dfsg-2
0.13.0+dfsg-3
0.13.0+dfsg-4
0.13.0+dfsg-5
0.14.0+dfsg-1
0.14.0+dfsg-2
0.15.0+dfsg-1
0.16.1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48822.json"

Debian:13 / shaarli

Package

Name
shaarli
Purl
pkg:deb/debian/shaarli?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.14.0+dfsg-1
0.14.0+dfsg-2
0.14.0+dfsg-2+deb13u1
0.15.0+dfsg-1
0.16.1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48822.json"