CVE-2025-46338

Name of the Vulnerable Software and Affected Versions Audiobookshelf versions prior to 2.21.0

Description Audiobookshelf, a self-hosted audiobook and podcast server, contains an improper input handling issue in the "/api/upload" endpoint. This allows an attacker to perform a reflected cross-site scripting (XSS) attack by submitting malicious payloads in the libraryId field. The unsanitized input is reflected in the server’s error message, enabling arbitrary JavaScript execution in a victim's browser.

Recommendations For versions prior to 2.21.0, update to version 2.21.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/api/upload" endpoint to minimize the risk of exploitation. Avoid using the libraryId field in the affected API endpoint until the issue is resolved.