Kallithea Security Notice

Cross-site scripting (XSS)


A vulnerability has been found in Kallithea in the 'Download as zip' and 'Compare' features of repositories.


If an attacker has write access to a repository, they can create a branch, tag or bookmark with a name containing JavaScript.

Due to incorrect escaping of such names in the 'Download as zip' feature on the summary page of a repository, the potentially malicious JavaScript was evaluated when selecting that branch/tag/bookmark in the 'Select changeset' dropdown menu.

This issue was found and reported by:
Bob Hogg (wombat@rwhogg.site).

The same issue turned out to be present in the version selection dropdown menus of the 'Compare' feature of repositories.


The issue is fixed in release 0.3.7. Users are advised to upgrade as soon as possible.

Affected versions

As far as we know, the issue is present in all Kallithea releases prior to 0.3.7.


  1. Mercurial changesets fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/c9bd000a45675b1029fa19fd25b3db2c37169560 and https://kallithea-scm.org/repos/kallithea/changeset/04e44ea05c5fee8744879daf5b2c2e29051f8960