Skip to main content

Audiobookshelf CVE-2023-47624

MEDIUM
Path Traversal (CWE-22)
2023-12-13 security-advisories@github.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 13, 2023 - 21:15 nvd
MEDIUM 6.5

DescriptionNVD

Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, any user (regardless of their permissions) may be able to read files from the local file system due to a path traversal in the /hls endpoint. This issue may lead to Information Disclosure. As of time of publication, no patches are available.

AnalysisAI

Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, any user (regardless of their permissions) may be able to read files from the local file system due to a path traversal in the /hls endpoint. This issue may lead to Information Disclosure. As of time of publication, no patches are available. Affected products include: Audiobookshelf.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2025-25205 HIGH POC
8.2 Feb 12

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 8.2), this vulnerability is remo

CVE-2025-46338 MEDIUM POC
6.9 Apr 29

Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.9), this vulnerability is re

CVE-2023-47619 MEDIUM POC
6.5 Dec 13

Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.5), this vulnerability is re

CVE-2026-27963 MEDIUM POC
4.8 Feb 26

Stored XSS in Audiobookshelf prior to version 2.32.0 enables privileged users to inject malicious code into library meta

CVE-2024-35236 MEDIUM POC
4.8 May 27

Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 4.8), this vulnerability is re

CVE-2024-43797 MEDIUM POC
4.3 Sep 02

audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 4.3), this vulnerability is re

CVE-2023-51697 HIGH
7.5 Dec 27

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 7.5), this vulnerability is remo

CVE-2023-51665 HIGH
7.5 Dec 27

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 7.5), this vulnerability is remo

CVE-2026-42888 MEDIUM
6.9 May 11

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/c

CVE-2026-42883 MEDIUM
6.5 May 11

Authenticated users with download permissions in Audiobookshelf prior to 2.32.2 can download files from libraries they d

CVE-2026-42886 MEDIUM
4.9 May 11

Denial-of-service in Audiobookshelf prior to version 2.32.2 allows authenticated admin users to crash the server by uplo

CVE-2026-42887 MEDIUM
4.5 May 11

Stored cross-site scripting (XSS) in Audiobookshelf prior to 2.33.0 allows authenticated administrators to inject malici

Share

CVE-2023-47624 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy