Buffer Overflow Vulnerability in Audiobookshelf by Audiobookshelf
CVE-2026-42886

4.9MEDIUM

Key Information:

Vendor: Advplyr
Status: Audiobookshelf
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-42886?

Audiobookshelf, a self-hosted audiobook and podcast server, has a vulnerability in the POST /api/backups/upload endpoint that allows for unlimited memory allocation when decompressing details from uploaded .audiobookshelf ZIP files. Prior to version 2.32.2, there is no restriction on the size of the compressed data, enabling an attacker with admin privileges to upload a specially crafted ZIP file. This file can result in excessive memory consumption, causing the server process to crash. This flaw highlights the importance of implementing size limits for file uploads to enhance server stability and security.

Affected Version(s)

audiobookshelf < 2.33.2

References

https://github.com/advplyr/audiobookshelf/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42886 Data

JSON

Advplyr

What is CVE-2026-42886?

Affected Version(s)

References

CVSS V3.1

Timeline