Advplyr Audiobookshelf
17 CVEs affecting Advplyr Audiobookshelf. Latest disclosed: 2026-05-11. Critical: 0, High: 4.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-57800 | High | 8.8 | 2025-08-22 | Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does not properly restrict redirect callback U… |
CVE-2025-25205 | High | 8.2 | 2025-02-12 | Audiobookshelf is a self-hosted audiobook and podcast server. Starting in version 2.17.0 and prior to version 2.19.1, a flaw in the authentication bypass logic… |
CVE-2023-47619 | High | 8.1 | 2023-12-13 | Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, users with the update permission are able to read arbitrary files, d… |
CVE-2023-47624 | High | 7.5 | 2023-12-13 | Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, any user (regardless of their permissions) may be able to read files… |
CVE-2026-42883 | Medium | 6.5 | 2026-05-11 | Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/libraries/:id/download endpoint validates that the requesting user… |
CVE-2024-43797 | Medium | 6.3 | 2024-09-02 | audiobookshelf is a self-hosted audiobook and podcast server. A non-admin user is not allowed to create libraries (or access only the ones they have permission… |
CVE-2026-42886 | Medium | 4.9 | 2026-05-11 | Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/backups/upload endpoint decompresses the details entry from an upl… |
CVE-2026-27963 | Medium | 4.8 | 2026-02-26 | Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.32.0 of the Audio… |
CVE-2024-35236 | Medium | 4.8 | 2024-05-27 | Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.10.0, opening an ebook with malicious scripts inside leads to code execution i… |
CVE-2026-42887 | Medium | 4.5 | 2026-05-11 | Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.33.0, a stored cross-site scripting (XSS) vulnerability exists in the Login Page due t… |
CVE-2026-42885 | Medium | 4.3 | 2026-05-11 | Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/filesystem/pathexists endpoint uses String.startsWith() to validat… |
CVE-2026-42884 | Medium | 4.3 | 2026-05-11 | Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/collections and GET /api/collections/:id endpoints return collectio… |
CVE-2023-51665 | Medium | 4.3 | 2023-12-27 | Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.7.0, Audiobookshelf is vulnerable to unauthenticated blind server-side request (SSRF)… |
CVE-2023-51697 | Medium | 4.3 | 2023-12-27 | Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.7.0, Audiobookshelf is vulnerable to unauthenticated blind server-side request (SSRF)… |
CVE-2026-27973 | Medium | 4.0 | 2026-02-26 | Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the… |
CVE-2026-42888 | | 2026-05-11 | Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/controllers/PodcastController.js accepts… | |
CVE-2025-46338 | | 2025-04-29 | Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.21.0, an improper input handling vulnerability in the `/api/upload` endpoint a… |