Suggestions search

All statuses

Filter by:

With package: audiobookshelf

Found 2 matching suggestions

View:

Compact

Detailed

Published

Permalink CVE-2026-27963

4.8 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

updated 3 weeks, 3 days ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 3 days ago
@LeSuisse removed
4 packages
- pkgsRocm.audiobookshelf
- python312Packages.aioaudiobookshelf
- python313Packages.aioaudiobookshelf
- python314Packages.aioaudiobookshelf
3 weeks, 3 days ago
@LeSuisse accepted 3 weeks, 3 days ago
@LeSuisse published on GitHub 3 weeks, 3 days ago

Audiobookshelf has Stored XSS in Tooltip.vue via Audiobook Metadata

Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.32.0 of the Audiobookshelf web application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers, potentially leading to session hijacking and data exfiltration. Version 2.32.0 contains a patch for the issue.

References

https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-69cp-m725-wf78 x_refsource_CONFIRM
https://github.com/advplyr/audiobookshelf/commit/503f4611b221a5bde19024e657021670df204478 x_refsource_MISC

Affected products

audiobookshelf

==< 2.32.0

Matching in nixpkgs

pkgs.audiobookshelf

Self-hosted audiobook and podcast server

nixos-unstable 2.32.1
- nixpkgs-unstable 2.32.1
- nixos-unstable-small 2.32.1
nixos-25.11 2.31.0
- nixos-25.11-small 2.31.0
- nixpkgs-25.11-darwin 2.31.0

Ignored packages (4)

pkgs.pkgsRocm.audiobookshelf

Self-hosted audiobook and podcast server

nixos-unstable 2.32.1
- nixpkgs-unstable 2.32.1
- nixos-unstable-small 2.32.1

pkgs.python312Packages.aioaudiobookshelf

Async python library to interact with Audiobookshelf

nixos-25.11 0.1.7
- nixos-25.11-small 0.1.7
- nixpkgs-25.11-darwin 0.1.7

pkgs.python313Packages.aioaudiobookshelf

Async python library to interact with Audiobookshelf

nixos-unstable 0.1.13
- nixpkgs-unstable 0.1.13
- nixos-unstable-small 0.1.13
nixos-25.11 0.1.7
- nixos-25.11-small 0.1.7
- nixpkgs-25.11-darwin 0.1.7

pkgs.python314Packages.aioaudiobookshelf

Async python library to interact with Audiobookshelf

nixos-unstable 0.1.13
- nixpkgs-unstable 0.1.13
- nixos-unstable-small 0.1.13

Package maintainers

@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@jvanbruegge Jan van Brügge <supermanitu@gmail.com>

Upstream advisory: https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-69cp-m725-wf78
Upstream patch: https://github.com/advplyr/audiobookshelf/commit/503f4611b221a5bde19024e657021670df204478

Dismissed

Permalink CVE-2026-27973

4.0 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): HIGH
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

updated 3 weeks, 3 days ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 3 days ago
@LeSuisse removed
4 packages
- python312Packages.aioaudiobookshelf
- python313Packages.aioaudiobookshelf
- python314Packages.aioaudiobookshelf
- pkgsRocm.audiobookshelf
3 weeks, 3 days ago
@LeSuisse dismissed 3 weeks, 3 days ago

Audiobookshelf has Stored XSS in ItemSearchCard.vue via Audiobook Metadata (Search Results on Mobile App)

Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers/WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. The issue is fixed in audiobookshelf-app version 0.12.0-beta, corresponding to audiobookshelf version 2.12.0.

References

https://github.com/advplyr/audiobookshelf-app/commit/b2c2b625e3cf586562397f4c02e38059f2b8ef5c x_refsource_MISC
https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-2433-p93m-xhhg x_refsource_CONFIRM

Affected products

audiobookshelf

==< 2.12.0

audiobookshelf-app

==< 0.12.0-beta

Matching in nixpkgs

pkgs.audiobookshelf

Self-hosted audiobook and podcast server

nixos-unstable 2.32.1
- nixpkgs-unstable 2.32.1
- nixos-unstable-small 2.32.1
nixos-25.11 2.31.0
- nixos-25.11-small 2.31.0
- nixpkgs-25.11-darwin 2.31.0

Ignored packages (4)

pkgs.pkgsRocm.audiobookshelf

Self-hosted audiobook and podcast server

nixos-unstable 2.32.1
- nixpkgs-unstable 2.32.1
- nixos-unstable-small 2.32.1

pkgs.python312Packages.aioaudiobookshelf

Async python library to interact with Audiobookshelf

nixos-25.11 0.1.7
- nixos-25.11-small 0.1.7
- nixpkgs-25.11-darwin 0.1.7

pkgs.python313Packages.aioaudiobookshelf

Async python library to interact with Audiobookshelf

nixos-unstable 0.1.13
- nixpkgs-unstable 0.1.13
- nixos-unstable-small 0.1.13
nixos-25.11 0.1.7
- nixos-25.11-small 0.1.7
- nixpkgs-25.11-darwin 0.1.7

pkgs.python314Packages.aioaudiobookshelf

Async python library to interact with Audiobookshelf

nixos-unstable 0.1.13
- nixpkgs-unstable 0.1.13
- nixos-unstable-small 0.1.13

Package maintainers

@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@jvanbruegge Jan van Brügge <supermanitu@gmail.com>

Current stable branch was never impacted