CVE-2026-48823

Name of the Vulnerable Software and Affected Versions Shaarli versions prior to 0.16.2

Description A stored Cross-Site Scripting (XSS) issue exists in the tag filtering functionality. An authenticated user can inject arbitrary JavaScript into the tags field when creating a bookmark. Because user-supplied input in the tags field is not properly sanitized or output-escaped, the malicious payload is stored in the database and executed when users, including administrators and privileged users, interact with the "Filter by tag" search feature on the homepage. The application renders matching tags dynamically, allowing HTML with JavaScript event handlers to be injected into the DOM.

Recommendations Update to version 0.16.2.