Kallithea Security Notice

Cross-site scripting (XSS)


A vulnerability has been found in Kallithea in the interpretation of certain URL arguments.


Some Kallithea URLs contain a repository changeset, branch name, tag, bookmark, etc. For some URLs, these values were not securely treated. An attacker could craft a special URL containing JavaScript in place of such changeset/branch/tag/... which would be evaluated when a user follows such malicious URL, thus potentially executing malicious code in the user's browser.

This issue was found and reported by:
Bob Hogg (wombat@rwhogg.site).


The issue is fixed in release 0.3.7. Users are advised to upgrade as soon as possible.

Affected versions

This issue is present in Kallithea releases 0.3.3 up to (and including) 0.3.6.


  1. Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/81db5704b2859c5dd4d0309acb80a4a9d41c7600