CVE-2026-42888— Audiobookshelf: Path Traversal vulnerability in the audiobookshelf project

AI Predicted 8.1 Difficulty: Easy EPSS 0.06% · P19 Updated May 15, 2026

Possible ATT&CK Techniques 1AI

Affected Version Matrix 1

Vendor	Product	Version Range	Status
advplyr	audiobookshelf	`< 2.33.2`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-42888

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Audiobookshelf: Path Traversal vulnerability in the audiobookshelf project

Source: NVD (National Vulnerability Database)

Vulnerability Description

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/controllers/PodcastController.js accepts a user-controlled file path without sufficient boundary validation to ensure it remains within the intended library directory. This vulnerability is fixed in 2.32.2.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

对路径名的限制不恰当(路径遍历)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Audiobookshelf 路径遍历漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Audiobookshelf是Audiobookshelf开源的一个自托管的有声读物和播客服务器。 Audiobookshelf 2.32.2之前版本存在路径遍历漏洞，该漏洞源于播客创建端点接受用户控制的文件路径，未进行充分边界验证。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
advplyr	audiobookshelf	< 2.33.2	-

II. Public POCs for CVE-2026-42888

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-42888

请登录查看更多情报信息。

Vendor Advisories for CVE-2026-42888 (1)

audiobookshelf_PathTraversal_01 Vulnerability Report: We discovered a Path Traversal vulnerability in the audiobookshelf project. · Advisory · advplyr/audiobookshelf · GitHubx_refsource_CONFIRM

https://nvd.nist.gov/vuln/detail/CVE-2026-42888

Same Patch Batch · advplyr · 2026-05-11 · 6 CVEs total

CVE-2026-42883	6.5 MEDIUM	Audiobookshelf: Cross-library file exfiltration via unscoped bulk download endpoint
CVE-2026-42886	4.9 MEDIUM	Audiobookshelf: Memory amplification DoS via oversized compressed details entry in backup
CVE-2026-42887	4.5 MEDIUM	Audiobookshelf: Stored Cross-Site Scripting in Login Page Custom Message
CVE-2026-42885	4.3 MEDIUM	Audiobookshelf: Path prefix bypass in filesystem existence check leaks out-of-scope file e
CVE-2026-42884	4.3 MEDIUM	Audiobookshelf: Collection endpoints bypass library access controls exposing restricted li

IV. Related Vulnerabilities

Same product: audiobookshelf

Same vendor: advplyr

Same weakness: CWE-22

V. Comments for CVE-2026-42888

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-42888— Audiobookshelf: Path Traversal vulnerability in the audiobookshelf project

Possible ATT&CK Techniques 1AI

Affected Version Matrix 1

I. Basic Information for CVE-2026-42888

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-42888

III. Intelligence Information for CVE-2026-42888

Vendor Advisories for CVE-2026-42888 (1)

Same Patch Batch · advplyr · 2026-05-11 · 6 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-42888

Leave a comment