CVE-2026-24476: Shaarli XSS Vulnerability

CVE-2026-24476 Overview

CVE-2026-24476 is a Cross-Site Scripting (XSS) vulnerability affecting Shaarli, a self-hosted personal bookmarking service. Prior to version 0.16.0, an attacker can craft a malicious tag starting with a double-quote character (") that prematurely terminates the <input> tag on the start page. This improper input handling allows injection of arbitrary HTML content, potentially leading to XSS attacks that could compromise user sessions or execute malicious scripts in the context of the victim's browser.

Critical Impact

Attackers can inject malicious HTML and JavaScript through crafted bookmark tags, potentially stealing session cookies, redirecting users to phishing sites, or performing actions on behalf of authenticated users.

Affected Products

• Shaarli versions prior to 0.16.0
• Self-hosted Shaarli instances with user-contributed or imported tags
• Shaarli deployments using the default template (tpl/default)

Discovery Timeline

• 2026-01-26 - CVE-2026-24476 published to NVD
• 2026-01-27 - Last updated in NVD database

Technical Details for CVE-2026-24476

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in Shaarli's template rendering logic where user-supplied tag names are inserted directly into HTML data-list attributes without proper escaping.

When a tag containing a double-quote character is processed, it prematurely closes the data-list attribute, allowing the attacker to inject additional HTML attributes or entirely new HTML elements. Since the tag data is rendered on the start page and edit link pages, any user viewing a page containing the malicious tag would be exposed to the injected content.

The attack requires local access and user interaction, as an attacker must either have the ability to create tags in the system or convince an administrator to import bookmarks containing malicious tags.

Root Cause

The root cause is the absence of output encoding when rendering tag names within HTML input element attributes. The Shaarli template engine loops through tags and outputs them directly into the data-list attribute without applying the escape filter. This allows special HTML characters like double-quotes to break out of the attribute context and inject arbitrary HTML.

Attack Vector

The attack vector is local with high complexity requirements. An attacker needs to:

1. Create or inject a bookmark tag starting with a double-quote character (e.g., "onclick="alert(1))
2. Wait for or trigger a victim to visit the affected page (start page or edit link page)
3. The malicious tag content executes within the victim's browser context

The malicious tag could be introduced through:

• Direct tag creation if the attacker has access to the Shaarli instance
• Importing a crafted bookmark file containing malicious tags
• Social engineering to convince an administrator to add a bookmark with the malicious tag

// Example exploitation code (sanitized)
           </div>
           <div>
             <input type="text" name="tags" id="tags" class="lf_input"
-                   data-list="{loop="$tags"}{$key}, {/loop}" data-multiple data-autofirst autocomplete="off">
+                   data-list="{loop="$tags"}{$key|escape}, {/loop}" data-multiple data-autofirst autocomplete="off">
           </div>

           <div>

Source: GitHub Commit

The patch demonstrates the fix by adding the |escape filter to the {$key} variable, ensuring all tag names are properly HTML-encoded before being rendered in the template.

Detection Methods for CVE-2026-24476

Indicators of Compromise

• Presence of tags containing double-quote characters (") at the beginning
• Unusual HTML or JavaScript content appearing in tag fields in the database
• Browser console errors indicating malformed HTML on Shaarli pages
• Unexpected script execution or redirects when viewing bookmark pages

Detection Strategies

• Review the Shaarli database for tags containing suspicious characters such as ", <, >, or script keywords
• Monitor web server logs for unusual bookmark import activities or tag creation requests
• Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
• Use browser developer tools to inspect the page source for malformed <input> tags on Shaarli pages

Monitoring Recommendations

• Enable CSP reporting to capture any XSS attempts blocked by the policy
• Configure web application firewall (WAF) rules to detect and block requests containing XSS patterns in tag parameters
• Audit bookmark import functionality and restrict import capabilities to trusted administrators
• Monitor for anomalous session activity that could indicate session hijacking

How to Mitigate CVE-2026-24476

Immediate Actions Required

• Upgrade Shaarli to version 0.16.0 or later immediately
• Review existing tags in the database for any containing suspicious characters
• Implement Content Security Policy headers as defense-in-depth
• Consider temporarily restricting tag creation or bookmark import capabilities until the patch is applied

Patch Information

The vulnerability has been addressed in Shaarli version 0.16.0. The fix applies proper HTML escaping to tag names when rendering them in template files. The security patch can be reviewed in the GitHub Commit. Additional details are available in the GitHub Security Advisory.

The following patch was applied to tpl/default/editlink.html:

       </div>
       <div class="{if="$retrieve_description"}{$asyncLoadClass}{/if}">
         <input type="text" name="lf_tags" id="lf_tags{$batchId}" value="{$link.tags}" class="lf_input autofocus"
-          data-list="{loop="$tags"}{$key}, {/loop}" data-multiple data-autofirst autocomplete="off" >
+          data-list="{loop="$tags"}{$key|escape}, {/loop}" data-multiple data-autofirst autocomplete="off" >
         <div class="icon-container">
           <i class="loader"></i>
         </div>

Source: GitHub Commit

Workarounds

• Manually sanitize existing tags by removing or escaping any double-quote characters from the database
• Implement a Content Security Policy header with script-src 'self' to mitigate the impact of successful XSS
• Restrict access to the Shaarli instance to trusted users until patching is complete
• Disable bookmark import functionality temporarily if external bookmark files are not essential

# Configuration example
# Add Content Security Policy header to your web server configuration
# For Apache (.htaccess or virtual host config):
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"

# For Nginx (server block):
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'";