{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27974", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:24:57.793Z", "datePublished": "2026-02-26T02:10:30.504Z", "dateUpdated": "2026-02-26T14:42:43.253Z"}, "containers": {"cna": {"title": "Audiobooksheld VUlnerable to Stored XSS in WrappingMarquee.js via Audiobook Metadata (Mobile App Audio Player)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-8c9r-pvrj-vcf5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-8c9r-pvrj-vcf5"}, {"name": "https://github.com/advplyr/audiobookshelf-app/commit/bab95530c8c3d7a4b4cec5b059da8b79ad50223e", "tags": ["x_refsource_MISC"], "url": "https://github.com/advplyr/audiobookshelf-app/commit/bab95530c8c3d7a4b4cec5b059da8b79ad50223e"}], "affected": [{"vendor": "advplyr", "product": "audiobookshelf-app", "versions": [{"version": "< 0.12.0-beta", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T02:10:30.504Z"}, "descriptions": [{"lang": "en", "value": "Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges (or control over a malicious podcast RSS feed) can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. audiobookshelf-app version 0.12.0-beta fixes the issue."}], "source": {"advisory": "GHSA-8c9r-pvrj-vcf5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T14:42:26.983819Z", "id": "CVE-2026-27974", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:42:43.253Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27974", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T14:42:26.983819Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:42:37.538Z"}}], "cna": {"title": "Audiobooksheld VUlnerable to Stored XSS in WrappingMarquee.js via Audiobook Metadata (Mobile App Audio Player)", "source": {"advisory": "GHSA-8c9r-pvrj-vcf5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "advplyr", "product": "audiobookshelf-app", "versions": [{"status": "affected", "version": "< 0.12.0-beta"}]}], "references": [{"url": "https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-8c9r-pvrj-vcf5", "name": "https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-8c9r-pvrj-vcf5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/advplyr/audiobookshelf-app/commit/bab95530c8c3d7a4b4cec5b059da8b79ad50223e", "name": "https://github.com/advplyr/audiobookshelf-app/commit/bab95530c8c3d7a4b4cec5b059da8b79ad50223e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges (or control over a malicious podcast RSS feed) can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. audiobookshelf-app version 0.12.0-beta fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T02:10:30.504Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27974", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:42:43.253Z", "dateReserved": "2026-02-25T03:24:57.793Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T02:10:30.504Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB5F33E7-D91F-4887-9CA4-59CF349DC460", "versionEndExcluding": "0.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges (or control over a malicious podcast RSS feed) can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. audiobookshelf-app version 0.12.0-beta fixes the issue."}, {"lang": "es", "value": "Audiobookshelf es un servidor de audiolibros y podcasts autoalojado. Una vulnerabilidad de cross-site scripting (XSS) existe en versiones anteriores a la 0.12.0-beta de la aplicaci\u00f3n m\u00f3vil de Audiobookshelf que permite la ejecuci\u00f3n arbitraria de JavaScript a trav\u00e9s de metadatos de biblioteca maliciosos. Atacantes con privilegios de modificaci\u00f3n de biblioteca (o control sobre un feed RSS de podcast malicioso) pueden ejecutar c\u00f3digo en los WebViews de los usuarios v\u00edctimas, lo que podr\u00eda llevar al secuestro de sesi\u00f3n, exfiltraci\u00f3n de datos y acceso no autorizado a las API de dispositivos nativos. La versi\u00f3n 0.12.0-beta de audiobookshelf-app soluciona el problema."}], "id": "CVE-2026-27974", "lastModified": "2026-03-12T20:23:44.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T03:16:04.970", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/advplyr/audiobookshelf-app/commit/bab95530c8c3d7a4b4cec5b059da8b79ad50223e"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-8c9r-pvrj-vcf5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.12.0-beta)"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "audiobookshelf-app", "source": "cna", "vendor": "advplyr"}, "product": "audiobookshelf", "vendor": "advplyr"}], "analysis": {"en": {"generated_at": "2026-04-17T14:28:15.075316+00:00", "value": {"mitigation_remediation": ["Upgrade the Audiobookshelf mobile app to version 0.12.0\u2011beta or later, which removes the vulnerable code path.", "Limit library modification privileges to trusted administrators to reduce the chance of injected metadata.", "If an upgrade cannot be performed immediately, verify and sanitize existing library metadata, or block insecure external podcast feeds until the patch is applied."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting via Audio Metadata"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in versions of the Audiobookshelf mobile application released before 0.12.0\u2011beta. The affected product is the self\u2011hosted Audiobookshelf\u2011Mobile\u2011App, maintained by advplyr. Users running earlier versions and exposing library\u2011modification rights or consuming unsecured podcast RSS feeds are at risk.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in older releases of the Audiobookshelf mobile app that permits an attacker to embed malicious JavaScript into the metadata of an audio library or podcast feed. When a victim opens the altered item, the app\u2019s WebView executes the payload, enabling arbitrary code execution on the device. Consequently, attackers can hijack the user\u2019s session, exfiltrate personal data, or maliciously invoke native device APIs. The affected code paths fall under CWE\u201179, a classic reflected or stored XSS weakness.", "risk_and_exploitability": "The CVSS base score of 4.8 indicates a low\u2011medium severity, and the EPSS score of less than 1% suggests the likelihood of real\u2011world exploitation is very low at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to gain the ability to modify library metadata or supply a malicious RSS feed; the attacker then relies on victim interaction with the affected content. If successful, the attacker can execute arbitrary code inside the app\u2019s embedded WebView, potentially compromising the device\u2019s security posture."}}}}, "created": "2026-02-26T13:09:48.111223+00:00", "updated": "2026-04-17T14:30:20.831194+00:00", "vendors": ["advplyr", "advplyr$PRODUCT$audiobookshelf"]}