CVE-2026-27974 Overview
CVE-2026-27974 is a Cross-Site Scripting (XSS) vulnerability affecting the Audiobookshelf mobile application, a self-hosted audiobook and podcast server. This vulnerability allows arbitrary JavaScript execution through malicious library metadata in versions prior to 0.12.0-beta. Attackers with library modification privileges or control over a malicious podcast RSS feed can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs.
Critical Impact
Attackers can execute arbitrary JavaScript in victim WebViews, enabling session hijacking, data exfiltration, and unauthorized access to native device APIs through malicious library metadata or podcast RSS feeds.
Affected Products
- Audiobookshelf Mobile Application versions prior to 0.12.0-beta
- Self-hosted Audiobookshelf servers with vulnerable mobile clients
- Users consuming podcast RSS feeds from untrusted sources
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-27974 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27974
Vulnerability Analysis
This Cross-Site Scripting (XSS) vulnerability exists in the Audiobookshelf mobile application's handling of library metadata content. The application fails to properly sanitize user-controlled data before rendering it in the WebView context. When library metadata containing malicious JavaScript is processed by the application, the script executes within the WebView environment with the same privileges as the legitimate application code.
The vulnerability is particularly dangerous because it can be triggered through multiple attack vectors: an attacker with library modification privileges on a shared Audiobookshelf server can inject malicious metadata, or an attacker can set up a malicious podcast RSS feed that contains crafted metadata payloads. When victims interact with the compromised content through the mobile application, the injected JavaScript executes automatically.
The impact extends beyond typical web-based XSS because mobile WebViews often have access to native device APIs through JavaScript bridges, potentially allowing attackers to access device features, stored credentials, or other sensitive application data.
Root Cause
The root cause of CVE-2026-27974 is improper output encoding in the Audiobookshelf mobile application's UI components. Specifically, the WrappingMarquee.js component was using methods that interpret HTML content rather than treating input as plain text. This allowed attacker-controlled metadata values to be interpreted as executable HTML/JavaScript rather than being rendered as harmless text content.
The vulnerability stems from the use of HTML-aware DOM manipulation methods instead of safer alternatives like textContent that treat input strictly as text data.
Attack Vector
The attack vector for this vulnerability is network-based and requires some user interaction. An attacker can exploit this vulnerability through two primary methods:
Library Modification Attack: An attacker with elevated privileges on a shared Audiobookshelf server can modify library metadata (such as audiobook titles, descriptions, or author names) to include malicious JavaScript payloads.
Malicious Podcast Feed Attack: An attacker can create or compromise a podcast RSS feed to include XSS payloads in episode metadata, titles, or descriptions that get rendered by the mobile application.
When a victim user views the compromised content in the Audiobookshelf mobile app, the malicious JavaScript executes within the WebView context, allowing the attacker to steal session tokens, exfiltrate user data, or potentially access native device APIs.
// Security patch in assets/WrappingMarquee.js - Update WrappingMarquee to use textContent
#scrollSpeed = 30
/**
- * @param {HTMLElement} el
+ * @param {HTMLElement} el
*/
constructor(el) {
this.el = el
Source: GitHub Commit Update
The patch demonstrates the fix involves updating DOM manipulation to use textContent instead of HTML-aware methods, ensuring user-controlled data is treated as plain text.
Detection Methods for CVE-2026-27974
Indicators of Compromise
- Unusual JavaScript execution patterns in Audiobookshelf mobile application logs
- Library metadata containing HTML tags, script elements, or event handlers (e.g., <script>, onerror=, onload=)
- Unexpected outbound network connections from the mobile application to unknown domains
- Session tokens or authentication data being transmitted to unauthorized endpoints
Detection Strategies
- Monitor podcast RSS feeds consumed by users for suspicious HTML/JavaScript content in metadata fields
- Implement content security monitoring on Audiobookshelf server to detect XSS payloads in library metadata
- Review mobile application WebView logs for JavaScript errors or unexpected script execution
- Deploy network monitoring to identify data exfiltration attempts from mobile devices running vulnerable app versions
Monitoring Recommendations
- Enable verbose logging in the Audiobookshelf mobile application to capture WebView activity
- Monitor authentication token usage for signs of session hijacking
- Implement alerting for library metadata modifications containing script-like content
- Track mobile application version distribution to identify users running vulnerable versions prior to 0.12.0-beta
How to Mitigate CVE-2026-27974
Immediate Actions Required
- Update the Audiobookshelf mobile application to version 0.12.0-beta or later immediately
- Audit existing library metadata for any potentially malicious content
- Review podcast RSS feed sources and remove any untrusted or suspicious feeds
- Invalidate and rotate session tokens for users who may have accessed compromised content
Patch Information
The vulnerability has been addressed in audiobookshelf-app version 0.12.0-beta. The fix modifies the WrappingMarquee.js component to use textContent for DOM manipulation instead of HTML-aware methods, ensuring that user-controlled metadata is rendered as plain text rather than interpreted as HTML/JavaScript.
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-8c9r-pvrj-vcf5 and the commit implementing the fix.
Workarounds
- Restrict library modification privileges to trusted administrators only until the patch is applied
- Avoid adding podcast RSS feeds from untrusted or unknown sources
- Consider temporarily disabling podcast functionality if immediate patching is not possible
- Implement server-side metadata sanitization to strip HTML content before it reaches mobile clients
# Configuration example
# Verify Audiobookshelf mobile app version
# Users should update to version 0.12.0-beta or later
# Check app version in Settings > About
# For server administrators: Review library metadata for suspicious content
# Look for patterns like: <script>, javascript:, onerror=, onclick=
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
