Listen to this Post
CVE-2026-27974 is a cross-site scripting (XSS) vulnerability found in the Audiobookshelf mobile application for versions prior to 0.12.0-beta. Audiobookshelf is a self-hosted platform for managing and streaming audiobooks and podcasts . The vulnerability resides in how the mobile app’s WebView renders metadata from the library. An attacker who has privileges to modify the library—such as a user with upload permissions on a shared server—or who controls a malicious podcast RSS feed can inject arbitrary JavaScript code into this metadata . When a victim user browses the library or interacts with the malicious podcast within the app, the unsanitized metadata is parsed and the JavaScript executes within the context of the WebView. This execution environment is particularly dangerous because the WebView acts as a bridge to the native mobile application, allowing the injected script to potentially access native device functions and stored session tokens . The attack does not require user interaction beyond viewing the crafted content, making it an effective method for compromising user accounts and devices. The issue has been addressed in version 0.12.0-beta of the audiobookshelf-app, which corresponds to audiobookshelf server version 2.12.0 .
dailycve form:
Platform: Mobile App
Version: <0.12.0-beta
Vulnerability :Cross-Site Scripting
Severity: Medium (4.8)
date: 2026-02-25
Prediction: Patched (0.12.0-beta)
What Undercode Say:
Analytics:
Check current version of Audiobookshelf mobile app (if using Android Debug Bridge)
adb shell dumpsys package com.audiobookshelf.app | grep versionName
Simulate a request to fetch podcast RSS feed (example for testing)
curl -H "User-Agent: Audiobookshelf" https://malicious.example.com/feed.xml
Generic input sanitization example (Node.js backend)
const sanitize = require('sanitize-html');
let unsafeMetadata = "<img src=x onerror=alert('XSS')>";
let safeMetadata = sanitize(unsafeMetadata);
console.log(safeMetadata); // Outputs: <img src="x" />
How Exploit:
An attacker injects a JavaScript payload into an audiobook’s , description, or a podcast RSS feed item. Example payload: <img src="invalid" onerror="alert('Session:'+localStorage.getItem('token'))">. When a user views this item in the app, the onerror event triggers, executing the script and exfiltrating data.
Protection from this CVE
Update to audiobookshelf-app version 0.12.0-beta or later . Administrators should validate and sanitize all user-submitted metadata on the server. Users should avoid adding libraries or podcasts from untrusted sources until the update is applied.
Impact:
Successful exploitation leads to arbitrary JavaScript execution in the app’s WebView. This can result in session hijacking, theft of authentication tokens, data exfiltration from the local library, and potentially unauthorized access to native device APIs such as the file system or microphone .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

