CVE-2026-27973 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 that affects the Audiobookshelf self-hosted audiobook and podcast server and its mobile application. The vulnerability exists in versions prior to 2.12.0 of the server and 0.12.0-beta of the mobile app. It arises from improper neutralization of input during web page generation, specifically through maliciously crafted library metadata. An attacker who has privileges to modify the audiobook library can inject arbitrary JavaScript code into the metadata fields. When other users access the affected content via browsers or embedded WebViews in the mobile app, the malicious script executes in their context. This can lead to session hijacking, unauthorized data access, exfiltration, and potentially unauthorized access to native device APIs exposed through the WebView environment. Exploitation requires the attacker to have library modification privileges, which implies some level of authentication and trust. Additionally, the victim must interact with the malicious content for the script to execute. The vulnerability is fixed in Audiobookshelf version 2.12.0 and the corresponding mobile app version 0.12.0-beta. The CVSS v3.1 base score is 4.0, indicating medium severity, with attack vector network, attack complexity high, privileges required high, user interaction required, and impact limited to confidentiality and integrity. No public exploits or active exploitation have been reported to date.

The primary impact of this vulnerability is on confidentiality and integrity of user sessions and data within the Audiobookshelf environment. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users and access sensitive audiobook or podcast content. Data exfiltration is possible, potentially exposing user information or private library metadata. Access to native device APIs via WebView could allow attackers to perform unauthorized actions on the victim's device, depending on the permissions granted to the app. However, the requirement for attacker privileges to modify the library and user interaction limits the scope and ease of exploitation. Organizations relying on Audiobookshelf for self-hosted media streaming may face risks of unauthorized access and data compromise, particularly in environments with multiple users having library modification rights. The vulnerability could be exploited to undermine user trust and privacy, and in some cases, lead to lateral movement if the compromised device is part of a larger network.

To mitigate this vulnerability, organizations should immediately upgrade Audiobookshelf to version 2.12.0 or later and update the mobile application to version 0.12.0-beta or newer. Restrict library modification privileges strictly to trusted users to reduce the risk of malicious metadata injection. Implement input validation and sanitization on all user-supplied metadata fields to prevent injection of executable scripts. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the web interface and mobile WebViews. Monitor logs and user activity for unusual modifications to library metadata or unexpected user behavior. Educate users about the risks of interacting with untrusted content within the app. Consider isolating the Audiobookshelf server within a segmented network zone to limit potential lateral movement in case of compromise. Regularly review and audit user permissions and update the application promptly when security patches are released.