CVE-2025-55291: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-55291 is a reflected Cross-Site Scripting (XSS) vulnerability discovered in Shaarli versions <=0.14.0. The vulnerability exists in the cloud tag page where the searchtags parameter is not properly sanitized, allowing attackers to inject malicious scripts (GitHub Advisory).

The vulnerability occurs when the searchtags parameter input is reflected inside an HTML tag without proper sanitization. An attacker can break out of the title element context by injecting specially crafted payloads, enabling arbitrary HTML or JavaScript injection into the page. The vulnerability has been assigned a CVSS v3.1 score of 7.1 (High) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (GitHub Advisory).

This vulnerability allows attackers to perform actions on behalf of other users or steal sensitive data through cross-site scripting attacks. The CVSS metrics indicate high impact on both confidentiality and integrity, though availability is not affected (GitHub Advisory).

The vulnerability has been patched in Shaarli version 0.15.0 and later releases. The fix involves properly escaping the searchtags parameter value before output using the escape() function (GitHub Commit).