CVE-2026-27963
Stored XSS in Audiobookshelf Library Metadata Enables Session Hijacking
Publication date: 2026-02-26
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| audiobookshelf | audiobookshelf | to 2.32.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27963 is a stored cross-site scripting (XSS) vulnerability in the Audiobookshelf web application affecting versions prior to 2.32.0. The issue exists in the global Tooltip component, which uses unsanitized innerHTML assignments to render tooltip text. An attacker with library modification privileges can inject malicious HTML or JavaScript code into audiobook metadata, such as book titles.
When a victim user hovers over the malicious book cover or tooltip, the injected script executes in their browser. This can lead to session hijacking, token theft, and data exfiltration. The vulnerability arises because the tooltip text is assigned directly to innerHTML without sanitization, allowing arbitrary code execution.
The vulnerability was patched in version 2.32.0 by changing the tooltip rendering to use textContent instead of innerHTML, preventing HTML parsing and script execution.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact users by allowing attackers with library modification privileges to execute arbitrary JavaScript code in the browsers of other users who view or interact with the malicious audiobook metadata.'}, {'type': 'list_item', 'content': 'Session hijacking - attackers can steal session tokens to impersonate users.'}, {'type': 'list_item', 'content': "Data exfiltration - sensitive information accessible in the victim's browser can be stolen."}, {'type': 'list_item', 'content': 'Potential compromise of user accounts or unauthorized actions performed on behalf of the victim.'}, {'type': 'paragraph', 'content': 'The attack requires the attacker to have library modification privileges and the victim to interact with the malicious tooltip (e.g., by hovering over it).'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored cross-site scripting (XSS) issue in the Audiobookshelf web application affecting versions prior to 2.32.0. Detection involves identifying if malicious JavaScript code has been injected into audiobook metadata, such as book titles, which are rendered in tooltips.
Since the attack payload executes when a user hovers over a tooltip in the web interface, detection can include inspecting audiobook metadata for suspicious HTML or JavaScript code, especially in titles or other fields displayed in tooltips.
Suggested commands or steps to detect the vulnerability include:
- Manually review audiobook metadata entries for suspicious HTML tags or JavaScript event handlers (e.g., <img src=x onerror=...>).
- Use database queries or export metadata to search for common XSS payload patterns such as <script>, onerror=, or other HTML tags in title fields.
- Monitor web application logs or browser developer tools for unexpected JavaScript execution or errors triggered by tooltip rendering.
- No specific network commands are provided in the resources, but inspecting HTTP responses for injected scripts in tooltip content or using web vulnerability scanners targeting stored XSS in the Audiobookshelf interface may help.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Audiobookshelf application to version 2.32.0 or later, where the vulnerability has been patched.
The patch replaces unsafe innerHTML assignments with safe textContent assignments in the tooltip rendering code, preventing HTML parsing and script execution.
Additional immediate steps include:
- Restrict library modification privileges to trusted users only, as the attack requires such privileges to inject malicious metadata.
- Review and sanitize existing audiobook metadata to remove any potentially malicious HTML or JavaScript code.
- Educate users to avoid hovering over suspicious or unknown audiobook entries until the patch is applied.