CVE-2026-42887 MEDIUM

CVE-2026-42887: Audiobookshelf: Stored Cross-Site Scripting in Login Page Custom Message

Vendor Advplyr
Product audiobookshelf
Weakness CWE-79 · XSS
Published May 11, 2026
Last update May 12, 2026

CVSS base score

4.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.33.0, a stored cross-site scripting (XSS) vulnerability exists in the Login Page due to improper sanitization of the authLoginCustomMessage field of the /api/auth-settings endpoint. An attacker with administrative privileges can inject arbitrary HTML/JavaScript that will be rendered on the login page for all users. This vulnerability is fixed in 2.33.0.

Key dates

02Disclosure timeline

May 11, 2026 CVE published
May 12, 2026 Record updated