CVE-2026-27963
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Audiobookshelf allows attackers with library modification privileges to inject malicious JavaScript into library metadata. When other users view this metadata, their browsers execute the attacker's code, potentially compromising their sessions. This affects all Audiobookshelf instances running versions before 2.32.0.
💻 Affected Systems
- Audiobookshelf
📦 What is this software?
Audiobookshelf by Audiobookshelf
⚠️ Risk & Real-World Impact
Worst Case
Attackers hijack administrator sessions, gain full control of the Audiobookshelf instance, exfiltrate user data, and use the compromised server as a pivot point for further attacks.
Likely Case
Attackers with library access steal session cookies from regular users, impersonate them, and potentially access their personal audiobook collections and listening data.
If Mitigated
With proper privilege separation and input validation, impact is limited to users viewing malicious metadata, but session hijacking is still possible.
🎯 Exploit Status
Exploitation requires library modification privileges. The vulnerability is well-documented in the advisory with specific attack vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.32.0
Vendor Advisory: https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-69cp-m725-wf78
Restart Required: Yes
Instructions:
1. Backup your Audiobookshelf data and configuration. 2. Update to version 2.32.0 or later using your preferred method (Docker, manual install, etc.). 3. Restart the Audiobookshelf service. 4. Verify the update was successful by checking the version in the web interface.
🔧 Temporary Workarounds
Restrict Library Modification Privileges
allTemporarily remove library modification permissions from all non-administrator users to prevent exploitation.
# Configure in Audiobookshelf web UI under User Permissions
Content Security Policy (CSP)
allImplement a strict CSP header to block inline JavaScript execution.
# Add to web server config: Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Implement strict user privilege separation, ensuring only trusted administrators can modify library metadata.
- Deploy a web application firewall (WAF) with XSS protection rules to block malicious payloads.
🔍 How to Verify
Check if Vulnerable:
Check your Audiobookshelf version in the web interface (Settings → About) or via API. If version is below 2.32.0, you are vulnerable.Check Version:
curl -s http://localhost:13378/api/version | grep versionVerify Fix Applied:
After updating, confirm version is 2.32.0 or higher. Test by attempting to inject basic XSS payloads into library metadata fields to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual library metadata modifications
- JavaScript code patterns in library update requests
- Multiple failed login attempts from new locations
Network Indicators:
- HTTP requests containing script tags or JavaScript in library metadata fields
- Outbound connections to suspicious domains from the Audiobookshelf server
SIEM Query:
source="audiobookshelf" AND (event="library_update" AND (message="*<script*" OR message="*javascript:*"))