CVE-2026-27963 is a stored cross-site scripting (XSS) vulnerability identified in the Audiobookshelf web application, a self-hosted audiobook and podcast server developed by advplyr. The vulnerability exists in versions prior to 2.32.0 and stems from improper neutralization of input during web page generation (CWE-79). Specifically, malicious JavaScript code can be injected through crafted library metadata by an attacker who has privileges to modify the audiobook library. When other users browse or interact with the affected metadata, the injected script executes within their browsers, enabling the attacker to hijack user sessions, steal cookies, or exfiltrate sensitive data. The vulnerability requires the attacker to have authenticated access with library modification rights, and user interaction is necessary to trigger the malicious payload. The scope of impact is limited to environments where Audiobookshelf is deployed and where multiple users access the same library content. The vulnerability was assigned CVE-2026-27963 and carries a CVSS v3.1 base score of 4.8 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, and user interaction needed. The issue was publicly disclosed on February 26, 2026, and fixed in version 2.32.0 of Audiobookshelf. No known exploits in the wild have been reported to date.

The primary impact of this vulnerability is on the confidentiality and integrity of user sessions and data within Audiobookshelf deployments. Successful exploitation allows attackers to execute arbitrary JavaScript in victim browsers, potentially leading to session hijacking, unauthorized access to user accounts, and exfiltration of sensitive information such as authentication tokens or personal data. While availability is not directly affected, compromised user accounts could lead to further malicious activities. Organizations relying on Audiobookshelf for audiobook or podcast management face risks of internal data compromise, especially in multi-user environments where library modification privileges are granted to multiple users. The requirement for authenticated access with elevated privileges limits the attack surface but does not eliminate risk, particularly in organizations with weak access controls or insider threats. Given the self-hosted nature of Audiobookshelf, the impact is concentrated on organizations and individuals who deploy this software internally, including educational institutions, libraries, and media organizations.

To mitigate this vulnerability, organizations should immediately upgrade Audiobookshelf installations to version 2.32.0 or later, where the issue is patched. Until upgrading is possible, restrict library modification privileges strictly to trusted administrators and users to minimize the risk of malicious metadata injection. Implement strong authentication and access control policies to prevent unauthorized privilege escalation. Additionally, consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the application. Regularly audit library metadata for suspicious or unexpected content that could indicate attempted exploitation. Educate users about the risks of interacting with untrusted content and monitor logs for unusual activity related to library modifications. Finally, maintain up-to-date backups and incident response plans to quickly recover from any compromise.