Kallithea Security Notice

Cross-site scripting (XSS)


A vulnerability has been found in Kallithea in the rendering of README files.


If a repository contains a 'README' file (in one of various formats, like README.md or README.rst) Kallithea will render it according to the used format.

If an attacker has write access to a repository, they could create or modify such a README file and let it contain malicious code (e.g. JavaScript) that would be executed in the browser of users visiting the repository summary page.

For Markdown-formatted README files, this issue was already previously fixed in Kallithea 0.3.6, but it was overlooked that the same issue is present for other README formats.

This issue was found and reported by:
Bob Hogg (wombat@rwhogg.site).


The issue is fixed in release 0.3.7. Users are advised to upgrade as soon as possible.

Affected versions

As far as we know, the issue is present in all Kallithea releases prior to 0.3.7.


  1. Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/e74aa69f6827e1f6da4ae94ea2bcac10c98d0203