CVE-2026-27973 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Audiobookshelf self-hosted audiobook and podcast server application developed by advplyr. This vulnerability exists in versions prior to 2.12.0 and specifically affects the Audiobookshelf mobile application before version 0.12.0-beta. The issue arises from improper neutralization of input during web page generation, allowing malicious JavaScript code to be injected into library metadata fields. An attacker who has privileges to modify the audiobook library can embed arbitrary JavaScript code that is then stored and executed in the browsers or WebViews of other users who access the affected metadata. This execution context enables attackers to perform actions such as session hijacking, exfiltration of sensitive data, and unauthorized access to native device APIs, potentially compromising user confidentiality and integrity. The vulnerability requires the attacker to have authenticated access with library modification rights and user interaction to trigger the payload, which reduces the attack surface. The vulnerability was assigned a CVSS v3.1 base score of 4.0, reflecting medium severity, with the vector indicating network attack vector, high attack complexity, privileges required, user interaction needed, and partial impact on confidentiality and integrity but no impact on availability. The issue was publicly disclosed and fixed in Audiobookshelf version 2.12.0 and the corresponding mobile app version 0.12.0-beta. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is the potential compromise of user sessions and sensitive data through the execution of arbitrary JavaScript in victim browsers or WebViews. Attackers with library modification privileges can leverage this to hijack sessions, steal authentication tokens, or access sensitive user information. Additionally, unauthorized access to native device APIs could lead to further compromise of the device or application environment. While the vulnerability does not directly affect system availability, the breach of confidentiality and integrity can lead to significant operational and reputational damage. Organizations relying on Audiobookshelf for internal or public audiobook and podcast distribution may face risks of unauthorized data access and potential lateral movement within their networks if attackers escalate privileges. However, the requirement for attacker privileges and user interaction limits the scope and ease of exploitation, somewhat mitigating widespread impact.

To mitigate this vulnerability, organizations should immediately upgrade Audiobookshelf to version 2.12.0 or later and update the mobile application to version 0.12.0-beta or newer. Restrict library modification privileges strictly to trusted users and implement robust access controls to minimize the risk of malicious metadata injection. Employ input validation and sanitization on all user-supplied metadata fields to prevent injection of executable scripts. Additionally, consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the application context. Regularly audit user permissions and monitor logs for unusual modification activities in the audiobook library. Educate users about the risks of interacting with untrusted content and encourage prompt application updates. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.