Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features
AnalysisAI
Stored Cross-Site Scripting in Koha 25.11 and earlier allows a remote authenticated attacker to inject and execute arbitrary JavaScript in victim browsers via the file upload function within the Invoice features module. The CVSS Scope:Changed designation indicates the injected script executes in a security context beyond the attacker's own session - targeting higher-privileged users (e.g., acquisitions staff or administrators) who subsequently view the affected invoice. A researcher blog post at g03m0n.github.io documents this vulnerability, suggesting public technical details are available. No public exploit identified at time of analysis, and EPSS at 0.05% (16th percentile) indicates low observed exploitation probability.
Technical ContextAI
Koha is an open-source Integrated Library System (ILS) widely deployed by public, academic, and special libraries. The Invoice feature is part of Koha's acquisitions module, used to manage financial records and file attachments associated with vendor orders. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the root cause is insufficient sanitization or encoding of user-supplied content - in this case, a filename or file content submitted via the upload function - before it is rendered back in the browser. The Scope:Changed (S:C) attribute in the CVSS vector confirms this is a stored or reflected XSS that crosses privilege boundaries: a lower-privileged user submits malicious input that is later rendered in the session of a higher-privileged user. The CPE data provided is unpopulated (n/a), so affected product enumeration relies solely on the CVE description. Note: the 'RCE' tag associated with this CVE refers to client-side JavaScript execution in the victim's browser context, not server-side remote code execution - the CVSS score of 5.4 and CWE-79 confirm this is browser-level code execution.
RemediationAI
Upgrade to a patched release of Koha beyond version 25.11; as of this analysis, an exact fixed release version has not been independently confirmed from the available reference data - monitor the official Koha release page at https://github.com/Koha-Community/Koha and the Koha community mailing lists for a tagged patch release. Until a patch is applied, restrict access to the acquisitions and invoice module to the minimum set of trusted accounts, removing or disabling upload permissions for any untrusted vendor or low-privileged user accounts - this directly removes the attacker's injection vector but may disrupt normal acquisitions workflows. Deploying a Web Application Firewall (WAF) rule to inspect and block file upload requests containing HTML/JavaScript content to the invoice endpoint is an additional compensating control, though WAF bypass via encoding is a known risk. Monitoring for unexpected script execution in library staff browser sessions can serve as a detection measure.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34169
GHSA-j9m8-fw2w-frcq