CVE-2026-27974

Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges (or control over a malicious podcast RSS feed) can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. audiobookshelf-app version 0.12.0-beta fixes the issue.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/advplyr/audiobookshelf-app/commit/bab95530c8c3d7a4b4cec5b059da8b79ad50223e	Patch
https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-8c9r-pvrj-vcf5	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:*:*:*:*:*:*:*:*

History

12 Mar 2026, 20:23

Type	Values Removed	Values Added
References	~~() https://github.com/advplyr/audiobookshelf-app/commit/bab95530c8c3d7a4b4cec5b059da8b79ad50223e -~~	() https://github.com/advplyr/audiobookshelf-app/commit/bab95530c8c3d7a4b4cec5b059da8b79ad50223e - Patch
References	~~() https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-8c9r-pvrj-vcf5 -~~	() https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-8c9r-pvrj-vcf5 - Vendor Advisory
First Time		Audiobookshelf Audiobookshelf audiobookshelf Mobile App
CPE		cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app::::::::

27 Feb 2026, 14:06

Type	Values Removed	Values Added
Summary		(es) Audiobookshelf es un servidor de audiolibros y podcasts autoalojado. Una vulnerabilidad de cross-site scripting (XSS) existe en versiones anteriores a la 0.12.0-beta de la aplicación móvil de Audiobookshelf que permite la ejecución arbitraria de JavaScript a través de metadatos de biblioteca maliciosos. Atacantes con privilegios de modificación de biblioteca (o control sobre un feed RSS de podcast malicioso) pueden ejecutar código en los WebViews de los usuarios víctimas, lo que podría llevar al secuestro de sesión, exfiltración de datos y acceso no autorizado a las API de dispositivos nativos. La versión 0.12.0-beta de audiobookshelf-app soluciona el problema.

26 Feb 2026, 03:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-26 03:16

Updated : 2026-03-12 20:23

NVD link : CVE-2026-27974

Mitre link : CVE-2026-27974

CVE.ORG link : CVE-2026-27974

JSON object : View

Products Affected

audiobookshelf

audiobookshelf_mobile_app

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.8 /10