Kallithea Security Notice

Cross-Site Scripting (XSS)


A cross-site scripting vulnerability has been found in Kallithea, when displaying repository group descriptions.


Descriptions of repository groups were not correctly escaped. This allowed a malicious user with sufficient rights to add an executable script inside a repository group description. This potentially malicious script (typically JavaScript) would then be executed in the browser of users and could do anything on behalf of the current Kallithea user.

Thanks to stypr of Flatt Security for reporting this vulnerability.

Resolution / Affected versions

This vulnerability was first introduced in Kallithea 0.4.0 and is fixed in 0.6.3.

Users are advised to upgrade as soon as possible.


  1. Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/cd8fa11c5c89278a103b795db50e740594038ec8