Hi,

The following vulnerability was published for shaarli.

CVE-2026-48823[0]:
| Shaarli is a personal bookmarking service. Versions 0.16.1 and prior
| contain a stored Cross-Site Scripting (XSS) vulnerability in the tag
| filtering functionality of Shaarli. An authenticated user can inject
| arbitrary JavaScript into the tags field when creating a bookmark
| (Shaare). The malicious payload is stored and later executed when
| users interact with the "Filter by tag" search feature on the
| homepage. User-supplied input in the tags field is not properly
| sanitized or output-escaped before being rendered in the tag
| filtering interface. When a bookmark is created with a malicious
| payload inside the tag field, the payload is stored in the database.
| Later, when a user searches using the "Filter by tag" functionality
| on the homepage, the application renders matching tags dynamically.
| If the tag value contains HTML with JavaScript event handlers, it is
| injected into the DOM. This impacts anyone interacting with the
| "Filter by tag" search functionality, administrators and privileged
| users. This issue has been fixed in version 0.16.2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-48823
https://www.cve.org/CVERecord?id=CVE-2026-48823
[1] https://github.com/shaarli/Shaarli/security/advisories/GHSA-68qr-fvv8-6mc6

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore