Description

Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges (or control over a malicious podcast RSS feed) can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. audiobookshelf-app version 0.12.0-beta fixes the issue.

INFO

Published Date :

2026-02-26T02:10:30.504Z

Last Modified :

2026-02-26T14:42:43.253Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27974 vulnerability.

Vendors Products
Advplyr
  • Audiobookshelf
Audiobookshelf
  • Audiobookshelf Mobile App
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27974.

URL Resource
https://github.com/advplyr/audiobookshelf-app/commit/bab95530c8c3d7a4b4cec5b059da8b79ad50223e cve-icon cve-icon
https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-8c9r-pvrj-vcf5 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact