CVE-2026-27974

Name of the Vulnerable Software and Affected Versions Audiobookshelf versions prior to 0.12.0-beta

Description Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) issue exists in versions of the Audiobookshelf mobile application prior to version 0.12.0-beta. This allows for the execution of arbitrary JavaScript through manipulated library metadata. An attacker who has the ability to modify library information, or control a malicious podcast RSS feed, can execute code within a victim’s WebViews. This could potentially lead to session hijacking, data exfiltration, and unauthorized access to native device APIs.

Recommendations Update to version 0.12.0-beta or later.