Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-27973

4.0 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): HIGH
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 1 month, 4 weeks ago Activity log

Created suggestion 1 month, 4 weeks ago

Audiobookshelf has Stored XSS in ItemSearchCard.vue via Audiobook Metadata (Search Results on Mobile App)

Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers/WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. The issue is fixed in audiobookshelf-app version 0.12.0-beta, corresponding to audiobookshelf version 2.12.0.

References

https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-2433-p93m-xhhg x_refsource_CONFIRM
https://github.com/advplyr/audiobookshelf-app/commit/b2c2b625e3cf586562397f4c02e38059f2b8ef5c x_refsource_MISC

Affected products

audiobookshelf

==< 2.12.0

audiobookshelf-app

==< 0.12.0-beta

Matching in nixpkgs

pkgs.audiobookshelf

Self-hosted audiobook and podcast server

nixos-unstable 2.32.1
- nixpkgs-unstable 2.32.1
- nixos-unstable-small 2.32.1
nixos-25.11 2.31.0
- nixos-25.11-small 2.31.0
- nixpkgs-25.11-darwin 2.31.0

pkgs.pkgsRocm.audiobookshelf

Self-hosted audiobook and podcast server

nixos-unstable 2.32.1
- nixpkgs-unstable 2.32.1
- nixos-unstable-small 2.32.1

pkgs.python312Packages.aioaudiobookshelf

Async python library to interact with Audiobookshelf

nixos-25.11 0.1.7
- nixos-25.11-small 0.1.7
- nixpkgs-25.11-darwin 0.1.7

pkgs.python313Packages.aioaudiobookshelf

Async python library to interact with Audiobookshelf

nixos-unstable 0.1.13
- nixpkgs-unstable 0.1.13
- nixos-unstable-small 0.1.13
nixos-25.11 0.1.7
- nixos-25.11-small 0.1.7
- nixpkgs-25.11-darwin 0.1.7

pkgs.python314Packages.aioaudiobookshelf

Async python library to interact with Audiobookshelf

nixos-unstable 0.1.13
- nixpkgs-unstable 0.1.13
- nixos-unstable-small 0.1.13

Package maintainers

@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@jvanbruegge Jan van Brügge <supermanitu@gmail.com>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@tebriel tebriel <tebriel@frodux.in>