XSS in Advplyr Audiobookshelf

CVE-2025-46338

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.21.0, an improper input handling vulnerability in the `/api/upload` endpoint allows an attacker to perform a reflected cross-site scripting (XSS) attack by su…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.003 (57.5th percentile) — read the EPSS interpretation.

Affected products

Advplyr Audiobookshelf — versions < 2.21.0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-47g3-c5hx-2q3w (x_refsource_CONFIRM)
https://github.com/advplyr/audiobookshelf/commit/35870a01583b2947030f4e3d4ac769c3ff298386 (x_refsource_MISC)