Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
Audiobookshelf Versions Before 2.32.0 Allow Hackers to Steal Data
CVE-2026-27963
Summary
A security issue in Audiobookshelf's web application before version 2.32.0 allows hackers to inject malicious code into users' browsers, potentially allowing them to steal sensitive information or take control of users' accounts. This issue is fixed in version 2.32.0. Update to the latest version to protect your users and data.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| audiobookshelf | audiobookshelf | <= 2.32.0 | – |
Original title
Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.32.0 of the Audiobookshelf web application that allows ...
Original description
Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.32.0 of the Audiobookshelf web application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers, potentially leading to session hijacking and data exfiltration. Version 2.32.0 contains a patch for the issue.
nvd CVSS3.1
4.8
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/advplyr/audiobookshelf/commit/503f4611b221a5bde19024e65702167... Patch
- https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-69cp-m725-wf7... Exploit Mitigation Patch Vendor Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026