Description
Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers/WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. The issue is fixed in audiobookshelf-app version 0.12.0-beta, corresponding to audiobookshelf version 2.12.0.
Published: 2026-02-26
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting enabling arbitrary JavaScript execution with potential session hijacking and data exfiltration
Action: Immediate Patch
AI Analysis

Impact

A stored XSS flaw in the Audiobookshelf mobile client allows an attacker who can modify a library to inject arbitrary JavaScript via audiobook metadata. This code runs in the context of the WebView that renders search results, giving the attacker the same privileges as the user. Successful exploitation could lead to session hijacking, data exfiltration, and unauthorized calls to native device APIs such as microphone or filesystem, as stated.

Affected Systems

The flaw exists in the Audiobookshelf mobile application and server versions earlier than 0.12.0-beta (app) and 2.12.0 (server). The affected products are the open‑source Audiobookshelf server and its companion mobile app, both provided by advplyr. Users running the mobile app before the 0.12.0-beta release or the server before 2.12.0 are vulnerable. Those who own the app and server with the listed versions, especially if they allow library modification, are impacted.

Risk and Exploitability

The CVSS score is 4, indicating moderate severity. The EPSS is below 1 %, implying a low but nonzero likelihood of exploitation. It is not listed in the CISA KEV catalog, so no confirmed exploitation documented. Attackers need the ability to modify library metadata, so the vulnerability requires authenticated privileges; once an attacker has those, the exploit is straightforward and does not require advanced techniques. The risk is moderate with a relatively low exploitation probability.

Generated by OpenCVE AI on April 17, 2026 at 14:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Audiobookshelf mobile app to version 0.12.0-beta or later
  • Upgrade the Audiobookshelf server to version 2.12.0 or later
  • Restrict library modification permissions to trusted users or roles so that only authorized users can alter metadata

Generated by OpenCVE AI on April 17, 2026 at 14:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Audiobookshelf
Audiobookshelf audiobookshelf
Audiobookshelf audiobookshelf Mobile App
CPEs cpe:2.3:a:audiobookshelf:audiobookshelf:*:*:*:*:*:*:*:*
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:*:*:*:*:*:*:*:*
Vendors & Products Audiobookshelf
Audiobookshelf audiobookshelf
Audiobookshelf audiobookshelf Mobile App

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Advplyr
Advplyr audiobookshelf
Vendors & Products Advplyr
Advplyr audiobookshelf

Thu, 26 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers/WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. The issue is fixed in audiobookshelf-app version 0.12.0-beta, corresponding to audiobookshelf version 2.12.0. Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers/WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. The issue is fixed in audiobookshelf-app version 0.12.0-beta, corresponding to audiobookshelf version 2.12.0.

Thu, 26 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers/WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. The issue is fixed in audiobookshelf-app version 0.12.0-beta, corresponding to audiobookshelf version 2.12.0.
Title Audiobookshelf has Stored XSS in ItemSearchCard.vue via Audiobook Metadata (Search Results on Mobile App)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Advplyr Audiobookshelf
Audiobookshelf Audiobookshelf Audiobookshelf Mobile App
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:45:25.252Z

Reserved: 2026-02-25T03:24:57.793Z

Link: CVE-2026-27973

cve-icon Vulnrichment

Updated: 2026-02-26T14:45:19.340Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:24.553

Modified: 2026-03-12T20:26:51.100

Link: CVE-2026-27973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses