Kallithea Security Notice

Cross-site scripting (XSS)


A vulnerability has been found in Kallithea.


This vulnerability allows a normal user to inject code into pages viewable by other users/visitors of Kallithea (XSS).

This issue was found and reported by:
Kacper Szurek (https://security.szurek.pl/).


The issue is fixed by Mads Kiilerich in release 0.3.5. Users are advised to upgrade as soon as possible.

To detect a possible breach, users should verify the presence of unexpected newly created repository groups inside Kallithea.

Affected versions

As far as we know, the issue is present in all previously released Kallithea versions.


  1. Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/64d41568507ce86f9fc601933f1cb0b4c8caddca