Skip to content

Insufficient Filename Sanitization Could lead to DOM XSS via Upload

Low
nodiscc published GHSA-vwcv-9hj3-8982 Aug 16, 2025

Package

shaarli

Affected versions

<=0.14.0

Patched versions

>=0.15.0

Description

Shaarli versions prior to 0.15.0 are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability due to insufficient sanitization of special characters in uploaded or embedded filenames. When a specially crafted filename containing characters such as <, >, ", or ' is rendered in the DOM. Although the vector is somewhat limited by context and browser behavior (hence considered low severity)

A file uploaded with the filename will trigger DOM XSS

<img src="x" onerror="alert(1);">

shaarli DOM XSS

Severity

Low

CVE ID

No known CVE

Weaknesses

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. Learn more on MITRE.

Improper Neutralization of Alternate XSS Syntax

The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. Learn more on MITRE.

Credits