CVE-2026-48822

Name of the Vulnerable Software and Affected Versions Shaarli versions prior to 0.16.2

Description A stored Cross-Site Scripting (XSS) issue exists in the Markdown-to-HTML conversion process used in the Bookmark Description field. An authenticated user can inject a malicious javascript: URI inside a Markdown reference-style link. The problem occurs in the filterProtocols() function within BookmarkMarkdownFormatter.php, which uses a regular expression to sanitize links. This regex fails to detect reference-style links because they are resolved by the Markdown parser after preprocessing, allowing the filterProtocols() function to bypass the inspection of the actual URL used in these references.

Recommendations Update to version 0.16.2.