CVE-2025-55291

NameCVE-2025-55291
DescriptionShaarli is a minimalist bookmark manager and link sharing service. Prior to 0.15.0, the input string in the cloud tag page is not properly sanitized. This allows the </title> tag to be prematurely closed, leading to a reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability is fixed in 0.15.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1111589

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
shaarli (PTS)bookworm0.12.1+dfsg-8+deb12u1fixed
trixie0.14.0+dfsg-2fixed
forky, sid0.15.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
shaarlisourcebookworm0.12.1+dfsg-8+deb12u1
shaarlisourcetrixie0.14.0+dfsg-2
shaarlisource(unstable)0.15.0+dfsg-11111589

Notes

https://github.com/shaarli/Shaarli/security/advisories/GHSA-7w7w-pw4j-265h
https://github.com/shaarli/Shaarli/commit/66faa61335a6e72184be64092ff1242ffa4fe5b6 (v0.15.0)
Search for package or bug name: Reporting problems