Vulnerability Details CVE-2026-27974
Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges (or control over a malicious podcast RSS feed) can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. audiobookshelf-app version 0.12.0-beta fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 13.3%
CVSS Severity
CVSS v3 Score 4.8
References
Products affected by CVE-2026-27974
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.1.0
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.10.0
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.10.1
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.11.0
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.2.1
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.0
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.35
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.36
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.37
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.38
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.39
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.40
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.41
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.42
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.43
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.44
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.45
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.46
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.47
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.48
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.49
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.50
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.51
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.52
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.53
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.54
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.55
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.56
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.57
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.58
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.59
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.60
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.61
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.62
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.63
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.64
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.65
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.66
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.67
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.68
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.69
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.70
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.71
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.72
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.73
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.74
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.75
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.76
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.77
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.78
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.79
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.80
-
cpe:2.3:a:audiobookshelf:audiobookshelf_mobile_app:0.9.81