CVE-2026-27974
- Source
- https://cve.org/CVERecord?id=CVE-2026-27974
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27974.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-27974
- Aliases
-
- GHSA-8c9r-pvrj-vcf5
- Published
- 2026-02-26T02:10:30.504Z
- Modified
- 2026-03-03T02:56:53.692248Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Audiobooksheld VUlnerable to Stored XSS in WrappingMarquee.js via Audiobook Metadata (Mobile App Audio Player)
- Details
-
Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges (or control over a malicious podcast RSS feed) can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. audiobookshelf-app version 0.12.0-beta fixes the issue.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27974.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27974.json
- https://github.com/advplyr/audiobookshelf-app/commit/bab95530c8c3d7a4b4cec5b059da8b79ad50223e
- https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-8c9r-pvrj-vcf5
- https://nvd.nist.gov/vuln/detail/CVE-2026-27974
Affected packages
Git / github.com/advplyr/audiobookshelf-app
Affected ranges
- Type
- GIT
- Repo
- https://github.com/advplyr/audiobookshelf-app
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.10.0-beta
v0.10.1-beta
v0.11.0-beta
v0.9.35-beta
v0.9.36-beta
v0.9.37-beta
v0.9.38-beta
v0.9.39-beta
v0.9.40-beta
v0.9.41-beta
v0.9.42-beta
v0.9.43-beta
v0.9.44-beta
v0.9.45-beta
v0.9.46-beta
v0.9.47-beta
v0.9.48-beta
v0.9.49-beta
v0.9.50-beta
v0.9.51-beta
v0.9.52-beta
v0.9.53-beta
v0.9.54-beta
v0.9.55-beta
v0.9.56-beta
v0.9.57-beta
v0.9.58-beta
v0.9.59-beta
v0.9.60-beta
v0.9.61-beta
v0.9.62-beta
v0.9.63-beta
v0.9.64-beta
v0.9.65-beta
v0.9.66-beta
v0.9.67-beta
v0.9.68-beta
v0.9.69-beta
v0.9.70-beta
v0.9.71-beta
v0.9.72-beta
v0.9.73-beta
v0.9.74-beta
v0.9.75-beta
v0.9.76-beta
v0.9.77-beta
v0.9.78-beta
v0.9.79-beta
v0.9.80-beta
v0.9.81-beta