Shaarli

v0.16.2 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 11d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

bookmarking bookmarks bookmarks-manager self-hosted

Affected surfaces

auth rbac

ReleasePort's take

Moderate signal

editorial:auto 11d

Version v0.16.2 patches multiple XSS vulnerabilities and updates vulnerable frontend/npm dependencies.

Why it matters: Fixes XSS in autocomplete suggestions, Markdown links, and thumbnail DOM insertions; upgrades all affected npm packages to patched versions – critical for any deployment using these components.

Summary

AI summary

Updates v0.16.2 - 2026-05-23, xss, and doc across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Fixes XSS by encoding tag text in Awesomplete autocomplete suggestions Fixes XSS by encoding tag text in Awesomplete autocomplete suggestions Source: llm_adapter@2026-05-24 Confidence: high	—
Security	Medium	Fixes XSS by sanitizing href protocols in rendered Markdown HTML Fixes XSS by sanitizing href protocols in rendered Markdown HTML Source: llm_adapter@2026-05-24 Confidence: high	—
Security	Medium	Fixes XSS by sanitizing thumbnail update DOM insertions Fixes XSS by sanitizing thumbnail update DOM insertions Source: llm_adapter@2026-05-24 Confidence: high	—
Dependency	Medium	Updates vulnerable frontend/npm dependencies to patched versions Updates vulnerable frontend/npm dependencies to patched versions Source: llm_adapter@2026-05-24 Confidence: high	—
Dependency	Medium	Updates build tooling to Yarn 4.x and Node.js 22 Updates build tooling to Yarn 4.x and Node.js 22 Source: llm_adapter@2026-05-24 Confidence: low	—

Full changelog

v0.16.2 - 2026-05-23

Security

fix(xss): encode tag text in Awesomplete autocomplete suggestions
fix(xss): sanitize href protocols in rendered Markdown HTML
fix(xss): sanitize thumbnail update DOM insertions
update vulnerable frontend/npm dependencies

Changed

build: update frontend tooling to Yarn 4.x and Node.js 22

Added

doc: add documentation for building/testing Docker image locally
doc: add documentation for running GitHub Actions locally with act
doc: add documentation for GPG_TTY on headless build environments

Full Changelog: https://github.com/shaarli/Shaarli/compare/v0.16.1...v0.16.2

Security Fixes

fix(xss): encode tag text in Awesomplete autocomplete suggestions (no CVE ID provided)
fix(xss): sanitize href protocols in rendered Markdown HTML (no CVE ID provided)
fix(xss): sanitize thumbnail update DOM insertions (no CVE ID provided)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Shaarli

Get notified when new releases ship.

About Shaarli

The personal, minimalist, super-fast, database free, bookmarking service - community repo

All releases →