Kallithea Security Notice

Cross-site scripting (XSS)


A vulnerability has been found in Kallithea in the display of names of users.


In some Kallithea authentication backends, like the internal backend, users can modify their own first and last name. As such, it is possible that malicious users attempt to include JavaScript in their name.

Due to an incorrect escaping of these names in the Pull Request reviewers list, such potentially malicious JavaScript could be evaluated in the browser of users manipulating that reviewer list.

This issue was found and reported by:
Bob Hogg (wombat@rwhogg.site).


The issue is fixed in release 0.3.7. Users are advised to upgrade as soon as possible.

Affected versions

As far as we know, the issue is present in all Kallithea releases prior to 0.3.7.


  1. Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/603f5f7c323d1d128aa5d486b60f1172cd254d59