CVE-2026-27973
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Audiobookshelf mobile app versions before 0.12.0-beta allows attackers with library modification privileges to inject malicious JavaScript into library metadata. This code executes in victims' browsers/WebViews when they view the compromised content, potentially leading to session hijacking or data theft. Users of Audiobookshelf mobile app versions prior to 0.12.0-beta are affected.
💻 Affected Systems
- Audiobookshelf mobile application
📦 What is this software?
Audiobookshelf by Audiobookshelf
Audiobookshelf Mobile App by Audiobookshelf
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack user sessions, exfiltrate sensitive data, access native device APIs, and perform unauthorized actions on behalf of victims.
Likely Case
Attackers with library access could steal session cookies, redirect users to malicious sites, or perform limited client-side attacks against users viewing compromised content.
If Mitigated
With proper access controls limiting library modification to trusted users only, the attack surface is significantly reduced to potential insider threats.
🎯 Exploit Status
Exploitation requires library modification privileges. The vulnerability is stored XSS, meaning malicious payload persists until cleaned.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: audiobookshelf-app 0.12.0-beta (corresponds to audiobookshelf server 2.12.0)
Vendor Advisory: https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-2433-p93m-xhhg
Restart Required: Yes
Instructions:
1. Update Audiobookshelf mobile app to version 0.12.0-beta or later from your app store. 2. Update Audiobookshelf server to version 2.12.0 or later. 3. Restart both mobile app and server services.
🔧 Temporary Workarounds
Restrict Library Modification Permissions
allLimit library modification capabilities to only trusted administrators to reduce attack surface.
Configure user roles in Audiobookshelf to restrict library_write permissions
Content Security Policy (CSP)
allImplement strict CSP headers to mitigate XSS impact by restricting script execution sources.
Add Content-Security-Policy header to web server configuration
🧯 If You Can't Patch
- Restrict library modification permissions to minimal trusted users only.
- Implement network segmentation to isolate Audiobookshelf server from sensitive systems.
🔍 How to Verify
Check if Vulnerable:
Check mobile app version in settings. If version is below 0.12.0-beta, you are vulnerable.Check Version:
Check app version in mobile device settings or server version via web interface.Verify Fix Applied:
Confirm mobile app version is 0.12.0-beta or higher and server version is 2.12.0 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual library metadata modifications
- Suspicious JavaScript patterns in library entries
- Multiple failed authentication attempts followed by library access
Network Indicators:
- Unexpected outbound connections from mobile devices after accessing Audiobookshelf
- Data exfiltration patterns from mobile clients
SIEM Query:
source="audiobookshelf" AND (event="library_modified" OR event="metadata_updated") | stats count by user, ip_address