Skip to main content

Audiobookshelf CVE-2026-42887

| EUVD-2026-29210 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 GitHub_M
XSS Audiobookshelf
4.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.5 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
May 11, 2026 - 21:03 EUVD
Analysis Generated
May 11, 2026 - 20:31 vuln.today
CVE Published
May 11, 2026 - 19:55 nvd
MEDIUM 4.5

DescriptionGitHub Advisory

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.33.0, a stored cross-site scripting (XSS) vulnerability exists in the Login Page due to improper sanitization of the authLoginCustomMessage field of the /api/auth-settings endpoint. An attacker with administrative privileges can inject arbitrary HTML/JavaScript that will be rendered on the login page for all users. This vulnerability is fixed in 2.33.0.

AnalysisAI

Stored cross-site scripting (XSS) in Audiobookshelf prior to 2.33.0 allows authenticated administrators to inject malicious HTML and JavaScript into the authLoginCustomMessage field via the /api/auth-settings endpoint, which is then rendered on the login page for all users without sanitization. This enables attackers with admin credentials to capture user credentials, perform account takeover, or redirect users to phishing sites. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain admin credentials
Delivery
Authenticate to /api/auth-settings
Exploit
Inject JavaScript in authLoginCustomMessage
Execution
User visits login page
Persist
Malicious script executes in browser
Impact
Attacker captures credentials or session tokens
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must possess valid Audiobookshelf administrator credentials (PR:H) to access the /api/auth-settings endpoint and modify the authLoginCustomMessage field. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment While the CVSS score of 4.5 is moderate, the actual real-world risk is constrained by privilege requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An administrator account is compromised through credential theft or social engineering. The attacker logs into the administrative panel and modifies the authLoginCustomMessage field via the /api/auth-settings endpoint to inject JavaScript that exfiltrates username and password fields to a remote server. …
Remediation Upgrade Audiobookshelf to version 2.33.0 or later, which includes fixes for the authLoginCustomMessage sanitization. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42887 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy