Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27974 is a stored cross-site scripting (XSS) vulnerability in the Audiobookshelf mobile application versions prior to 0.12.0-beta. It occurs because the app's WrappingMarquee.js component unsafely assigns user-controlled audiobook or podcast metadata (such as titles) directly to the innerHTML property without sanitization. This allows attackers with library modification privileges or control over malicious podcast RSS feeds to inject arbitrary JavaScript code. When a victim user plays the affected content, the malicious script executes within the app's WebView context."}] [2]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "The vulnerability allows attackers to execute arbitrary JavaScript in the victim's WebView, which can lead to several security issues:"}, {'type': 'list_item', 'content': 'Session hijacking by accessing session storage and authentication tokens, including admin tokens.'}, {'type': 'list_item', 'content': 'Data exfiltration through unauthorized access to sensitive information.'}, {'type': 'list_item', 'content': 'Unauthorized access to native device APIs via Capacitor, such as filesystem, database, and audio player controls.'}, {'type': 'list_item', 'content': 'Potential unauthorized modification of app or server state.'}] [2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if the Audiobookshelf mobile application is running a vulnerable version (prior to 0.12.0-beta) and if malicious library metadata or podcast RSS feeds are present that could exploit the XSS flaw.'}, {'type': 'paragraph', 'content': 'Since the vulnerability arises from unsafe use of innerHTML in WrappingMarquee.js, you can check the application version and inspect library metadata for suspicious HTML or JavaScript payloads.'}, {'type': 'list_item', 'content': 'Check the version of audiobookshelf-app installed: verify if it is older than 0.12.0-beta.'}, {'type': 'list_item', 'content': 'Search for suspicious HTML or JavaScript in audiobook or podcast metadata fields (titles, chapters) that might contain script tags or event handlers.'}, {'type': 'list_item', 'content': 'Commands to help detect suspicious content could include using grep or similar tools on metadata files or database entries, for example:'}, {'type': 'list_item', 'content': "grep -i -r '<script\\|onerror\\|javascript:' /path/to/audiobookshelf/metadata"}, {'type': 'list_item', 'content': 'If the app logs library modifications, review logs for unexpected changes or uploads.'}, {'type': 'paragraph', 'content': 'Network detection is limited since exploitation requires user interaction and playback of malicious content, but monitoring for unusual podcast RSS feed URLs or library updates from untrusted sources may help.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to update the Audiobookshelf mobile application to version 0.12.0-beta or later, where the vulnerability is fixed by replacing unsafe innerHTML assignments with safe textContent assignments.

• Upgrade audiobookshelf-app to version 0.12.0-beta or newer.
• Restrict library modification privileges to trusted users only to prevent injection of malicious metadata.
• Avoid adding or subscribing to untrusted or suspicious podcast RSS feeds that could contain malicious payloads.
• If upgrading immediately is not possible, consider disabling playback of untrusted content or removing suspicious library entries.

These steps reduce the risk of arbitrary JavaScript execution, session hijacking, and unauthorized access to native device APIs.

Useful 0 Not Useful 0