CVE-2026-27973

Medium CVSS: 4.0

Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers/WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. The issue is fixed in audiobookshelf-app version 0.12.0-beta, corresponding to audiobookshelf version 2.12.0.

Vendor

Audiobookshelf

Product

Audiobookshelf

CWE

CWE-79

Yayın Tarihi

2026-02-26 02:16:24

Güncelleme

2026-03-12 20:26:51

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Audiobookshelf MEDIUM Audiobookshelf 2026

Referanslar

https://github.com/advplyr/audiobookshelf-app/commit/b2c2b625e3cf586562397f4c02e38059f2b8ef5c https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-2433-p93m-xhhg

Benzer Kayıtlar

Medium

CVE-2026-27963

Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists i…

Medium

CVE-2026-27974

Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versi…

High

CVE-2025-57800

Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does no…

Medium

CVE-2025-46338

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.21.0, an improper input handling vulner…

High

CVE-2025-25205

Audiobookshelf is a self-hosted audiobook and podcast server. Starting in version 2.17.0 and prior to version 2.19.1, a…