Volerion logoVolerion
Volerion logoVolerion

Audiobookshelf Reflected Cross-Site Scripting Vulnerability in Upload API

Vulnerability

A reflected cross-site scripting vulnerability has been identified in Audiobookshelf versions prior to 2.21.0. The issue arises in the '/api/upload' endpoint, where improper input handling allows attackers to inject malicious payloads into the 'libraryId' field. This unsanitized input is then reflected in the server's error messages, enabling the execution of arbitrary JavaScript in the context of the victim's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute arbitrary JavaScript in the victim's browser. This could lead to session hijacking, credential theft, or further exploitation.

Reproduction

To reproduce this vulnerability, log in to Audiobookshelf and navigate to the upload feature. Submit a file through the upload form, including a malicious payload in the 'libraryId' field. The injected JavaScript will execute when the error message is displayed, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Audiobookshelf version 2.21.0 or later, where this vulnerability has been patched.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
0.8
impact
1.7
exploitability
7.7
remediation
7.7
relevance
0.0
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.