Listen to this Post
CVE-2026-27973 is a stored cross-site scripting (XSS) vulnerability found in the Audiobookshelf mobile application prior to version 0.12.0-beta. The vulnerability resides in how the application handles metadata for audiobooks within its library. Specifically, the `ItemSearchCard.vue` component fails to properly sanitize or neutralize input from audiobook metadata before displaying it in search results within the mobile app’s WebView. An attacker who has been granted library modification privileges can upload or edit audiobook metadata to include a malicious JavaScript payload. When another user browses the library or searches for content, the unsanitized metadata is rendered by the application, causing the arbitrary JavaScript to execute in the context of the victim user’s WebView. This execution environment is particularly dangerous as it can potentially bridge to native device APIs. The attack does not require the victim to click a link; simply viewing the compromised library item triggers the payload. Successful exploitation could lead to the hijacking of user sessions, exfiltration of sensitive data like authentication tokens, and unauthorized access to device features. The issue was addressed in `audiobookshelf-app` version 0.12.0-beta, which corresponds to server version 2.12.0. The vulnerability carries a CVSS v3.1 score of 4.0, indicating a medium severity due to the requirement for high privileges and user interaction, despite the network-based attack vector.
dailycve form:
Platform: Audiobookshelf Mobile
Version: Prior 0.12.0-beta
Vulnerability: Stored Cross-Site Scripting
Severity: Medium (CVSS 4.0)
date: 03/12/2026
Prediction: Already patched 02/25/2026
What Undercode Say:
Analytics:
- CVE ID: CVE-2026-27973
- Vulnerability Type: Stored Cross-Site Scripting (XSS)
- Attack Vector: Network
- Privileges Required: High (Library Modification)
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
- Weakness Enumeration: CWE-79
Bash Commands & Code:
Check current version of Audiobookshelf mobile app (if using a tool like ADB for Android) adb shell dumpsys package com.audiobookshelf.app | grep versionName Example of a malicious metadata payload (conceptual, for illustration) This could be injected into fields like 'description' or '' of an audiobook. PAYLOAD="<img src=x onerror=alert(document.cookie)>" Command to update to the patched version using npm (if installed via a custom method) npm update -g audiobookshelf-app For server administrators, update the server component to the corresponding version docker-compose -f /path/to/audiobookshelf/docker-compose.yml pull docker-compose -f /path/to/audiobookshelf/docker-compose.yml up -d
How Exploit:
1. Attacker gains library modification privileges.
2. Attacker crafts malicious JavaScript payload.
3. Payload embedded into audiobook metadata.
4. Victim browses library within mobile app.
5. Unsanitized metadata renders in WebView.
6. JavaScript executes in victim’s session.
7. Session tokens stolen or API accessed.
Protection from this CVE:
1. Update immediately to version 0.12.0-beta.
2. Implement strict input sanitization.
3. Enforce principle of least privilege.
4. Use Content Security Policy headers.
5. Regularly audit library metadata.
6. Monitor for unusual JavaScript execution.
Impact:
- Session hijacking for authenticated users.
- Exfiltration of sensitive user data.
- Unauthorized native API access.
- Potential account takeover.
- Compromise of private media libraries.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

