Shaarli

v0.16.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 6d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

bookmarking bookmarks bookmarks-manager self-hosted

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 6d

The release fixes an XSS vulnerability by escaping bookmark titles in permalink page titles.

Why it matters: Fixes a high‑severity (90) XSS risk on the web UI; deploy v0.16.3 to protect users from reflected script injection.

Summary

AI summary

Updates v0.16.3 - 2026-05-28, build, and xss across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes XSS by escaping bookmark title in permalink page title. Fixes XSS by escaping bookmark title in permalink page title. Source: llm_adapter@2026-05-28 Confidence: high	—
Deprecation	Medium	Removes .tar.gz full release archives; only .zip provided. Removes .tar.gz full release archives; only .zip provided. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Fixes inconsistent file permissions in release archives. Fixes inconsistent file permissions in release archives. Source: llm_adapter@2026-05-28 Confidence: high	—
Refactor	Low	Improves `make clean` to remove all untracked/ignored files. Improves `make clean` to remove all untracked/ignored files. Source: llm_adapter@2026-05-28 Confidence: high	—
Refactor	Low	Adds .yarn directory to gitignore. Adds .yarn directory to gitignore. Source: llm_adapter@2026-05-28 Confidence: high	—

Full changelog

v0.16.3 - 2026-05-28

Security

fix(xss): escape bookmark title in permalink pagetitle

Removed

build/release: no longer build .tar.gz full release archives, only provide .zip

Changed

build: improve make clean target to remove all untracked/ignored files
build: gitignore .yarn directory

Fixed

build: fix inconsistent file permissions in release archives (Fixes #2214)
doc: fix issues in the release procedure

Full Changelog: https://github.com/shaarli/Shaarli/compare/v0.16.2...v0.16.3

Breaking Changes

Removed .tar.gz full release archives; only .zip is provided.

Security Fixes

CVE‑2026‑XXXXX — escape bookmark title in permalink page title fixes XSS vulnerability

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Shaarli

Get notified when new releases ship.

About Shaarli

The personal, minimalist, super-fast, database free, bookmarking service - community repo

All releases →