VYPR
Unrated severityNVD Advisory· Published Apr 29, 2025· Updated Apr 29, 2025

Audiobookshelf Vulnerable to Cross-Site-Scripting Reflected via POST Request in /api/upload

CVE-2025-46338

Description

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.21.0, an improper input handling vulnerability in the /api/upload endpoint allows an attacker to perform a reflected cross-site scripting (XSS) attack by submitting malicious payloads in the libraryId field. The unsanitized input is reflected in the server’s error message, enabling arbitrary JavaScript execution in a victim's browser. This issue has been patched in version 2.21.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.