Dsonbaker

**Name of the Vulnerable Software and Affected Versions** Audiobookshelf versions prior to 2.21.0 **Description** Audiobookshelf, a self-hosted audiobook and podcast server, contains an improper input handling issue in the "/api/upload" endpoint. This allows an attacker to perform a reflected cross-site scripting (XSS) attack by submitting malicious payloads in the `libraryId` field. The unsanitized input is reflected in the server’s error message, enabling arbitrary JavaScript execution in a victim's browser. **Recommendations** For versions prior to 2.21.0, update to version 2.21.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/api/upload" endpoint to minimize the risk of exploitation. Avoid using the `libraryId` field in the affected API endpoint until the issue is resolved.