Kallithea Security Notice

Cross-site scripting (XSS)


A vulnerability has been found in Kallithea.


This vulnerability allows someone with write access to a repository to craft a README.md file that will influence the Kallithea web interface for users visiting the landing page for that repository (which displays the README).

This issue was found and reported by:
Bob Hogg (wombat@rwhogg.site).


The issue is fixed by Mads Kiilerich in release 0.3.6. Users are advised to upgrade as soon as possible.

Affected versions

As far as we know, the issue is present in all previously released Kallithea versions.


  1. Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/5746cc3b3fa5a1b8735ba914823b44550b406c15