Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
Audiobookshelf mobile app: Malicious library metadata can hijack your account
CVE-2026-27974
Summary
If you use an outdated version of the Audiobookshelf mobile app to access your self-hosted audiobook and podcast server, a hacker could potentially take control of your account, steal your data, and access your device's features by manipulating library metadata. To fix this, update the app to the latest version (0.12.0-beta) to protect your account and data. If you're not sure when your app was last updated, check with your IT department or the app's developer.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| audiobookshelf | audiobookshelf_mobile_app | <= 0.12.0 | – |
Original title
Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows...
Original description
Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges (or control over a malicious podcast RSS feed) can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. audiobookshelf-app version 0.12.0-beta fixes the issue.
nvd CVSS3.1
4.8
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 26 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026