CVE-2026-27974

Medium CVSS: 4.8

Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges (or control over a malicious podcast RSS feed) can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. audiobookshelf-app version 0.12.0-beta fixes the issue.

Vendor

Audiobookshelf

Product

Audiobookshelf Mobile App

CWE

CWE-79

Yayın Tarihi

2026-02-26 03:16:04

Güncelleme

2026-03-12 20:23:44

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Audiobookshelf Mobile App MEDIUM Audiobookshelf 2026

Referanslar

https://github.com/advplyr/audiobookshelf-app/commit/bab95530c8c3d7a4b4cec5b059da8b79ad50223e https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-8c9r-pvrj-vcf5

Benzer Kayıtlar

Medium

CVE-2026-27963

Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists i…

Medium

CVE-2026-27973

Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists i…

High

CVE-2025-57800

Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does no…

Medium

CVE-2025-46338

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.21.0, an improper input handling vulner…

High

CVE-2025-25205

Audiobookshelf is a self-hosted audiobook and podcast server. Starting in version 2.17.0 and prior to version 2.19.1, a…