Skip to main content

Koha ILS CVE-2026-26379

| EUVDEUVD-2026-34170 MEDIUM
Code Injection (CWE-94)
2026-06-03 mitre GHSA-7pjj-942q-wrwg
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 14:26 vuln.today
CVSS changed
Jun 04, 2026 - 14:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An issue in Koha v.25.11 and before allows a remote attacker to execute arbitrary code via the Z39.50 configuration module

AnalysisAI

Remote code execution in Koha v.25.11 and earlier allows unauthenticated network attackers to inject and execute arbitrary code through the Z39.50 configuration module. Koha is a widely deployed open-source integrated library system (ILS); the affected component handles Z39.50, a standard client-server protocol used for querying remote library catalogues. No public exploit identified at time of analysis, though a researcher technical write-up is publicly available at g03m0n.github.io, and EPSS exploitation probability is low at 0.05% (16th percentile). Notable discrepancy: CVSS impact scores (C:L/I:L) appear understated relative to the arbitrary code execution claim and should be treated with caution.

Technical ContextAI

Koha is an open-source ILS built in Perl, used by public, academic, and special libraries worldwide. The Z39.50 protocol (ISO 23950) is a bibliographic search-and-retrieve standard; Koha exposes a configuration module allowing administrators to define remote Z39.50 server targets. CWE-94 (Code Injection) identifies the root cause: user-supplied input is incorporated into a code execution context without sufficient sanitization or sandboxing, enabling injection of executable logic. This is distinct from command injection (CWE-78) - the injected payload is interpreted as code by the application runtime rather than passed to an OS shell, though the practical impact (arbitrary execution) may be similar. CPE data returned as 'n/a:n/a' by NVD, meaning vendor-confirmed CPE strings are not yet formally registered; affected product scope is derived from the CVE description and EUVD entry rather than NVD CPE.

RemediationAI

Upstream fix availability is not confirmed from the provided data - no patched release version is referenced in any of the advisory sources. Organizations should monitor the Koha Community GitHub repository (https://github.com/Koha-Community/Koha) and the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-26379) for patch releases. As a compensating control, restrict access to the Z39.50 configuration module at the application or network layer - limit it to trusted administrative IP ranges or authenticated admin sessions only; this reduces the attack surface if the PR:N vector is accurate and reduces exposure if it is not. Disabling the Z39.50 configuration module entirely is an option for sites that do not use Z39.50 target federation, though this will disable the ability to search remote library catalogues. Web application firewall rules filtering code injection patterns on the Z39.50 configuration endpoint may provide partial mitigation but should not be relied upon as a primary control given CWE-94 payloads can be highly polymorphic.

Share

CVE-2026-26379 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy