CVE-2026-42887 - Vulnerability Details

- Audiobookshelf: Stored Cross-Site Scripting in Login Page Custom Message

Description

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.33.0, a stored cross-site scripting (XSS) vulnerability exists in the Login Page due to improper sanitization of the authLoginCustomMessage field of the /api/auth-settings endpoint. An attacker with administrative privileges can inject arbitrary HTML/JavaScript that will be rendered on the login page for all users. This vulnerability is fixed in 2.33.0.

Published: 2026-05-11

Score: 4.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Audiobookshelf versions prior to 2.33.0 contain a stored cross‑site scripting (XSS) flaw in the login page. The flaw arises from improper sanitization of the authLoginCustomMessage value sent to the /api/auth-settings endpoint, allowing an attacker who already holds administrative privileges to inject arbitrary HTML or JavaScript. When exploited, the malicious payload is rendered on the login page for all users, potentially enabling theft of session cookies, defacement of the site, or execution of arbitrary client‑side code. This weakness corresponds to CWE‑79.

Affected Systems

The affected product is the advplyr Audiobookshelf self‑hosted audiobook and podcast server. All installations running a version earlier than 2.33.0 are vulnerable; the issue was rectified in 2.33.0.

Risk and Exploitability

The vulnerability is scored as CVSS 4.5, indicating low to moderate severity. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires that the attacker already possess administrative credentials, so the risk to an outsider is limited. Nonetheless, the presence of a stored XSS that affects every user’s experience makes it important to remediate promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

advplyr

audiobookshelf

affected

Version	Status	Constraints
`< 2.33.0`	affected	—

No data.

Vendor Product Confidence Versions

Advplyr

Audiobookshelf

100%

Version	Status	Scheme	Platform
`[0,2.33.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Audiobookshelf installation to version 2.33.0 or newer to remove the stored XSS vulnerability.
If upgrading immediately is not feasible, review and edit the authLoginCustomMessage configuration to ensure it contains only safe text; alternatively, temporarily disable the custom login message feature until a patch can be applied.
Restrict administrative access to trusted personnel and monitor configuration changes; audit logs to detect any unauthorized alterations to login page settings.

Generated by OpenCVE AI on May 11, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-cx29-ghq2-9cm4

History

Tue, 12 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Advplyr Advplyr audiobookshelf
Vendors & Products		Advplyr Advplyr audiobookshelf

Mon, 11 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.33.0, a stored cross-site scripting (XSS) vulnerability exists in the Login Page due to improper sanitization of the authLoginCustomMessage field of the /api/auth-settings endpoint. An attacker with administrative privileges can inject arbitrary HTML/JavaScript that will be rendered on the login page for all users. This vulnerability is fixed in 2.33.0.
Title		Audiobookshelf: Stored Cross-Site Scripting in Login Page Custom Message
Weaknesses		CWE-79
References		https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-cx29-ghq2-9cm4
Metrics		cvssV3_1 `{'score': 4.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N'}`

Subscriptions

Advplyr Audiobookshelf

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-11T19:55:32.090Z

Updated: 2026-05-12T13:29:46.446Z

Reserved: 2026-04-30T18:49:06.712Z

Link: CVE-2026-42887

Vulnrichment

Updated: 2026-05-12T13:29:42.984Z

NVD

Status : Deferred

Published: 2026-05-11T20:25:45.713

Modified: 2026-05-12T14:50:18.527

Link: CVE-2026-42887

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T23:15:09Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object