CVE-2025-46338

Sažetak

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.21.0, an improper input handling vulnerability in the `/api/upload` endpoint allows an attacker to perform a reflected cross-site scripting (XSS) attack by submitting malicious payloads in the `libraryId` field. The unsanitized input is reflected in the server’s error message, enabling arbitrary JavaScript execution in a victim's browser. This issue has been patched in version 2.21.0.

Reference

https://github.com/advplyr/audiobookshelf/commit/35870a01583b2947030f4e3d4ac769c3ff298386
https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-47g3-c5hx-2q3w

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

29-04-2025 - 13:52

Objavljeno

29-04-2025 - 05:15