Description
Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges (or control over a malicious podcast RSS feed) can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. audiobookshelf-app version 0.12.0-beta fixes the issue.
Published: 2026-02-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via Audio Metadata
Action: Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in older releases of the Audiobookshelf mobile app that permits an attacker to embed malicious JavaScript into the metadata of an audio library or podcast feed. When a victim opens the altered item, the app’s WebView executes the payload, enabling arbitrary code execution on the device. Consequently, attackers can hijack the user’s session, exfiltrate personal data, or maliciously invoke native device APIs. The affected code paths fall under CWE‑79, a classic reflected or stored XSS weakness.

Affected Systems

The vulnerability is present in versions of the Audiobookshelf mobile application released before 0.12.0‑beta. The affected product is the self‑hosted Audiobookshelf‑Mobile‑App, maintained by advplyr. Users running earlier versions and exposing library‑modification rights or consuming unsecured podcast RSS feeds are at risk.

Risk and Exploitability

The CVSS base score of 4.8 indicates a low‑medium severity, and the EPSS score of less than 1% suggests the likelihood of real‑world exploitation is very low at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to gain the ability to modify library metadata or supply a malicious RSS feed; the attacker then relies on victim interaction with the affected content. If successful, the attacker can execute arbitrary code inside the app’s embedded WebView, potentially compromising the device’s security posture.

Generated by OpenCVE AI on April 17, 2026 at 14:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Audiobookshelf mobile app to version 0.12.0‑beta or later, which removes the vulnerable code path.
  • Limit library modification privileges to trusted administrators to reduce the chance of injected metadata.
  • If an upgrade cannot be performed immediately, verify and sanitize existing library metadata, or block insecure external podcast feeds until the patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 14:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Audiobookshelf
Audiobookshelf audiobookshelf Mobile App
CPEs cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:*:*:*:*:*:*:*:*
Vendors & Products Audiobookshelf
Audiobookshelf audiobookshelf Mobile App

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Advplyr
Advplyr audiobookshelf
Vendors & Products Advplyr
Advplyr audiobookshelf

Thu, 26 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges (or control over a malicious podcast RSS feed) can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. audiobookshelf-app version 0.12.0-beta fixes the issue.
Title Audiobooksheld VUlnerable to Stored XSS in WrappingMarquee.js via Audiobook Metadata (Mobile App Audio Player)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Advplyr Audiobookshelf
Audiobookshelf Audiobookshelf Mobile App
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:42:43.253Z

Reserved: 2026-02-25T03:24:57.793Z

Link: CVE-2026-27974

cve-icon Vulnrichment

Updated: 2026-02-26T14:42:37.538Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T03:16:04.970

Modified: 2026-03-12T20:23:44.720

Link: CVE-2026-27974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses