CVE-2024-35236
published 2024-05-27CVE-2024-35236: Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.10.0, opening an ebook with malicious scripts inside leads to code execution…
PriorityP430medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.84%
53.2th percentile
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.10.0, opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Attacking a user with high privileges (upload, creation of libraries) can lead to remote code execution (RCE) in the worst case. This was tested on version 2.9.0 on Windows, but an arbitrary file write is powerful enough as is and should easily lead to RCE on Linux, too. Version 2.10.0 contains a patch for the vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advplyr | audiobookshelf | < 2.10.0 | 2.10.0 |
| audiobookshelf | audiobookshelf | < 2.10.0 | 2.10.0 |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.62.2 | 2.62.2 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
ghsa4.8MEDIUM
osv4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
ghsa·2026-03-31·CVSS 4.8
CVE-2026-34529 [MEDIUM] CWE-79 File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
### Summary
The EPUB preview function in File Browser is vulnerable to Stored Cross-site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file.
### Details
`frontend/src/views/files/Preview.vue` passes `allowScriptedContent: true` to the `vue-reader` (epub.js) component:
```js
// frontend/src/views/files/Preview.vue (Line 87)
:epubOptions="{
allowPopups: true,
allowScriptedContent: true,
}"
```
epub.js renders EPUB content inside a sandboxed with srcdoc. However, the sandbox includes both allow-scripts and allow-same-origin, which [renders the sandbox ineffective](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#allow-top-navi
OSV
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
osv·2026-03-31·CVSS 4.8
CVE-2026-34529 [MEDIUM] File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
### Summary
The EPUB preview function in File Browser is vulnerable to Stored Cross-site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file.
### Details
`frontend/src/views/files/Preview.vue` passes `allowScriptedContent: true` to the `vue-reader` (epub.js) component:
```js
// frontend/src/views/files/Preview.vue (Line 87)
:epubOptions="{
allowPopups: true,
allowScriptedContent: true,
}"
```
epub.js renders EPUB content inside a sandboxed with srcdoc. However, the sandbox includes both allow-scripts and allow-same-origin, which [renders the sandbox ineffective](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#allow-top-navi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/advplyr/audiobookshelf/assets/36849099/46f6dfe0-9860-4ec0-a987-b3a553f7e45dhttps://github.com/advplyr/audiobookshelf/blob/04ed4810fdfcafc2e82db536edc5870e3f937d00/client/components/readers/EpubReader.vue#L319https://github.com/advplyr/audiobookshelf/commit/ce7f891b9b2cb57c6644aaf96f89a8bda6307664https://github.com/advplyr/audiobookshelf/releases/tag/v2.10.0https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-7j99-76cj-q9pghttps://github.com/advplyr/audiobookshelf/assets/36849099/46f6dfe0-9860-4ec0-a987-b3a553f7e45dhttps://github.com/advplyr/audiobookshelf/blob/04ed4810fdfcafc2e82db536edc5870e3f937d00/client/components/readers/EpubReader.vue#L319https://github.com/advplyr/audiobookshelf/commit/ce7f891b9b2cb57c6644aaf96f89a8bda6307664https://github.com/advplyr/audiobookshelf/releases/tag/v2.10.0https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-7j99-76cj-q9pg
2024-05-27
Published