Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0344

NIXPKGS-2026-0344
published 4 months ago
Permalink CVE-2026-27963
4.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    4 packages
    • pkgsRocm.audiobookshelf
    • python312Packages.aioaudiobookshelf
    • python313Packages.aioaudiobookshelf
    • python314Packages.aioaudiobookshelf
    4 months ago
  • @LeSuisse accepted 4 months ago
  • @LeSuisse published on GitHub 4 months ago
Audiobookshelf has Stored XSS in Tooltip.vue via Audiobook Metadata

Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.32.0 of the Audiobookshelf web application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers, potentially leading to session hijacking and data exfiltration. Version 2.32.0 contains a patch for the issue.

Affected products

audiobookshelf
  • ==< 2.32.0

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Upstream advisory: https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-69cp-m725-wf78
Upstream patch: https://github.com/advplyr/audiobookshelf/commit/503f4611b221a5bde19024e657021670df204478