CVE-2025-55291: 
Linux Debian vulnerability analysis and mitigation

Shaarli, a minimalist bookmark manager and link sharing service, was found to contain a reflected Cross-Site Scripting (XSS) vulnerability (CVE-2025-55291) discovered in August 2025. The vulnerability affects versions prior to 0.15.0, where the input string in the cloud tag page was not properly sanitized, allowing premature tag closure and potential XSS attacks (GitHub Advisory).

The vulnerability exists in the cloud tag page functionality where the searchtags parameter is not properly sanitized before being reflected in the page output. The issue has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. The vulnerability is classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) and CWE-87 (Improper Neutralization of Alternate XSS Syntax) (NVD).

This vulnerability allows attackers to inject arbitrary HTML or JavaScript code into the page, potentially leading to the execution of malicious scripts in users' browsers. The impact includes possible theft of sensitive data and the ability to perform actions on behalf of other users (GitHub Advisory).

The vulnerability has been fixed in version 0.15.0 of Shaarli. The fix involves properly escaping the searchtags parameter using the escape() function before outputting it in the page title (GitHub Commit).