Skip to main content

Koha CVE-2026-26378

| EUVDEUVD-2026-34169 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-03 mitre GHSA-j9m8-fw2w-frcq
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 14:25 vuln.today
CVSS changed
Jun 04, 2026 - 14:22 NVD
5.4 (MEDIUM)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features

AnalysisAI

Stored Cross-Site Scripting in Koha 25.11 and earlier allows a remote authenticated attacker to inject and execute arbitrary JavaScript in victim browsers via the file upload function within the Invoice features module. The CVSS Scope:Changed designation indicates the injected script executes in a security context beyond the attacker's own session - targeting higher-privileged users (e.g., acquisitions staff or administrators) who subsequently view the affected invoice. A researcher blog post at g03m0n.github.io documents this vulnerability, suggesting public technical details are available. No public exploit identified at time of analysis, and EPSS at 0.05% (16th percentile) indicates low observed exploitation probability.

Technical ContextAI

Koha is an open-source Integrated Library System (ILS) widely deployed by public, academic, and special libraries. The Invoice feature is part of Koha's acquisitions module, used to manage financial records and file attachments associated with vendor orders. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the root cause is insufficient sanitization or encoding of user-supplied content - in this case, a filename or file content submitted via the upload function - before it is rendered back in the browser. The Scope:Changed (S:C) attribute in the CVSS vector confirms this is a stored or reflected XSS that crosses privilege boundaries: a lower-privileged user submits malicious input that is later rendered in the session of a higher-privileged user. The CPE data provided is unpopulated (n/a), so affected product enumeration relies solely on the CVE description. Note: the 'RCE' tag associated with this CVE refers to client-side JavaScript execution in the victim's browser context, not server-side remote code execution - the CVSS score of 5.4 and CWE-79 confirm this is browser-level code execution.

RemediationAI

Upgrade to a patched release of Koha beyond version 25.11; as of this analysis, an exact fixed release version has not been independently confirmed from the available reference data - monitor the official Koha release page at https://github.com/Koha-Community/Koha and the Koha community mailing lists for a tagged patch release. Until a patch is applied, restrict access to the acquisitions and invoice module to the minimum set of trusted accounts, removing or disabling upload permissions for any untrusted vendor or low-privileged user accounts - this directly removes the attacker's injection vector but may disrupt normal acquisitions workflows. Deploying a Web Application Firewall (WAF) rule to inspect and block file upload requests containing HTML/JavaScript content to the invoice endpoint is an additional compensating control, though WAF bypass via encoding is a known risk. Monitoring for unexpected script execution in library staff browser sessions can serve as a detection measure.

Share

CVE-2026-26378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy