CVE-2026-27974 is a medium-severity cross-site scripting vulnerability affecting the Audiobookshelf mobile application, a self-hosted audiobook and podcast server client. Versions prior to 0.12.0-beta fail to properly sanitize or neutralize input data embedded in library metadata, such as titles or descriptions, which are rendered within WebViews inside the app. An attacker who has privileges to modify the audiobook library or controls a malicious podcast RSS feed can craft metadata containing malicious JavaScript payloads. When a victim user views this content, the injected script executes within the app's WebView context. This can lead to session hijacking, allowing attackers to steal authentication tokens or cookies, data exfiltration from the app, and unauthorized access to native device APIs exposed to the WebView environment. The vulnerability is rooted in CWE-79, indicating improper input validation during dynamic web page generation. Exploitation requires the attacker to have library modification rights or control over a podcast feed, and the victim must interact with the malicious content. The issue was publicly disclosed on February 26, 2026, and fixed in version 0.12.0-beta. No known active exploits have been reported. The CVSS v3.1 base score is 4.8, reflecting network attack vector, low attack complexity, high privileges required, user interaction needed, and partial confidentiality and integrity impact without availability impact.

This vulnerability can compromise the confidentiality and integrity of user data within the Audiobookshelf mobile app. Attackers exploiting this flaw can hijack user sessions, potentially gaining unauthorized access to user accounts and sensitive audiobook or podcast data. Data exfiltration risks include theft of personal information or usage data stored or accessible via the app. Unauthorized access to native device APIs through the WebView could allow attackers to perform actions on the device beyond the app’s intended scope, potentially escalating the impact. While the requirement for attacker privileges or control over podcast feeds limits the attack surface, organizations or individuals hosting shared audiobook libraries or consuming untrusted podcast feeds are at risk. This could affect privacy and trust in self-hosted audiobook services, especially in environments where multiple users share access. The medium severity score reflects the moderate impact and exploitation complexity, but the potential for lateral movement or further compromise exists if combined with other vulnerabilities or social engineering.

Organizations and users should upgrade the Audiobookshelf mobile application to version 0.12.0-beta or later, where the vulnerability is patched. Administrators must restrict library modification privileges strictly to trusted users to reduce the risk of malicious metadata injection. For podcast feeds, only subscribe to trusted and verified sources to prevent ingestion of malicious RSS content. Implement content security policies (CSP) within the app’s WebView environment if possible, to restrict script execution and reduce the impact of injected scripts. Regularly audit and sanitize all metadata inputs before rendering them in WebViews, applying strict input validation and output encoding. Monitor application logs for unusual activity related to library modifications or feed updates. Educate users about the risks of interacting with untrusted content within the app. Consider isolating the WebView environment or limiting its access to sensitive device APIs to minimize potential damage from XSS attacks.