CVE-2026-42888

Vulnerability Description

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/controllers/PodcastController.js accepts a user-controlled file path without sufficient boundary validation to ensure it remains within the intended library directory. This vulnerability is fixed in 2.32.2.

Related Weaknesses (CWE)

CWE-22

References

https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-phch-9734-wrp

FAQ

What is CVE-2026-42888?

CVE-2026-42888 is a documented vulnerability. Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/controllers/PodcastController.js accepts a user-controlled file path without suff...

How severe is CVE-2026-42888?

CVSS scoring is not yet available for CVE-2026-42888. Check NVD for updates.

Is there a patch for CVE-2026-42888?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.