CVE-2026-42887 — Cross-Site Scripting (XSS)
CVE-2026-42887 — Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.33.0, a stored cross-site scripting (XSS) vulnerability exists in the Login Page due to improper sanitization of the authLoginCustomMessage field of the /api/auth-settings endpoint. An attacker with administrat
What This Means For You
- If your environment is affected by CWE-79, review your exposure and prioritize patching based on your environment. Monitor vendor advisories for CVE-2026-42887 updates and patches.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42887 - Audiobookshelf Login Page XSS via Custom Message
title: CVE-2026-42887 - Audiobookshelf Login Page XSS via Custom Message
id: scw-2026-05-11-ai-1
status: experimental
level: high
description: |
Detects the specific stored XSS vulnerability in Audiobookshelf's login page. An attacker with administrative privileges can exploit the `authLoginCustomMessage` field in the `/api/auth-settings` endpoint to inject malicious HTML/JavaScript. This rule looks for POST requests to `/api/auth-settings` containing the vulnerable parameter with common XSS payloads, indicating an attempt to inject script into the login page.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42887/
tags:
- attack.initial_access
- attack.t1189
logsource:
category: webserver
detection:
selection:
cs-uri|endswith:
- '/api/auth-settings'
cs-method|exact:
- 'POST'
cs-uri-query|contains:
- 'authLoginCustomMessage'
sc-status|exact:
- '200'
selection_indicators:
cs-uri-query|contains:
- '<script>'
- 'alert('
- 'onerror='
condition: selection AND selection_indicators
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42887 | vulnerability | CVE-2026-42887 |
| CWE-79 | weakness | CWE-79 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 23:25 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-43874: WWBN AVideo WebSocket Vulnerability Allows RCE
CVE-2026-43874 — WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval...
Pi-hole Privilege Escalation via Systemd Scripts (CVE-2026-41489)
CVE-2026-41489 — Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and...
CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability
CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....