NIXPKGS-2026-0344

GitHub issue published on 27 Feb 2026

Permalink CVE-2026-27963

4.8 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

updated 3 weeks, 3 days ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 3 days ago
@LeSuisse removed
4 packages
- pkgsRocm.audiobookshelf
- python312Packages.aioaudiobookshelf
- python313Packages.aioaudiobookshelf
- python314Packages.aioaudiobookshelf
3 weeks, 3 days ago
@LeSuisse accepted 3 weeks, 3 days ago
@LeSuisse published on GitHub 3 weeks, 3 days ago

Audiobookshelf has Stored XSS in Tooltip.vue via Audiobook Metadata

Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.32.0 of the Audiobookshelf web application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers, potentially leading to session hijacking and data exfiltration. Version 2.32.0 contains a patch for the issue.

References

https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-69cp-m725-wf78 x_refsource_CONFIRM
https://github.com/advplyr/audiobookshelf/commit/503f4611b221a5bde19024e657021670df204478 x_refsource_MISC

Affected products

audiobookshelf

==< 2.32.0

Matching in nixpkgs

pkgs.audiobookshelf

Self-hosted audiobook and podcast server

nixos-unstable 2.32.1
- nixpkgs-unstable 2.32.1
- nixos-unstable-small 2.32.1
nixos-25.11 2.31.0
- nixos-25.11-small 2.31.0
- nixpkgs-25.11-darwin 2.31.0

Ignored packages (4)

pkgs.pkgsRocm.audiobookshelf

Self-hosted audiobook and podcast server

nixos-unstable 2.32.1
- nixpkgs-unstable 2.32.1
- nixos-unstable-small 2.32.1

pkgs.python312Packages.aioaudiobookshelf

Async python library to interact with Audiobookshelf

nixos-25.11 0.1.7
- nixos-25.11-small 0.1.7
- nixpkgs-25.11-darwin 0.1.7

pkgs.python313Packages.aioaudiobookshelf

Async python library to interact with Audiobookshelf

nixos-unstable 0.1.13
- nixpkgs-unstable 0.1.13
- nixos-unstable-small 0.1.13
nixos-25.11 0.1.7
- nixos-25.11-small 0.1.7
- nixpkgs-25.11-darwin 0.1.7

pkgs.python314Packages.aioaudiobookshelf

Async python library to interact with Audiobookshelf

nixos-unstable 0.1.13
- nixpkgs-unstable 0.1.13
- nixos-unstable-small 0.1.13

Package maintainers

@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@jvanbruegge Jan van Brügge <supermanitu@gmail.com>

Upstream advisory: https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-69cp-m725-wf78
Upstream patch: https://github.com/advplyr/audiobookshelf/commit/503f4611b221a5bde19024e657021670df204478

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0344

References

Affected products

Matching in nixpkgs

pkgs.audiobookshelf

pkgs.pkgsRocm.audiobookshelf

pkgs.python312Packages.aioaudiobookshelf

pkgs.python313Packages.aioaudiobookshelf

pkgs.python314Packages.aioaudiobookshelf

Package maintainers