Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
Audiobookshelf Mobile App: Malicious Library Data Can Hijack Sessions
CVE-2026-27973
Summary
A security issue in older versions of the Audiobookshelf mobile app allows hackers to execute malicious code in users' browsers, potentially stealing sensitive information or taking control of the device. This issue affects users who have library modification privileges. To stay safe, update the Audiobookshelf mobile app to version 0.12.0-beta or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| audiobookshelf | audiobookshelf | <= 2.12.0 | – |
| audiobookshelf | audiobookshelf_mobile_app | <= 0.12.0 | – |
Original title
Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that...
Original description
Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers/WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. The issue is fixed in audiobookshelf-app version 0.12.0-beta, corresponding to audiobookshelf version 2.12.0.
nvd CVSS3.1
4.0
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 26 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026