Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
An issue in Koha v.25.11 and before allows a remote attacker to execute arbitrary code via the Z39.50 configuration module
AnalysisAI
Remote code execution in Koha v.25.11 and earlier allows unauthenticated network attackers to inject and execute arbitrary code through the Z39.50 configuration module. Koha is a widely deployed open-source integrated library system (ILS); the affected component handles Z39.50, a standard client-server protocol used for querying remote library catalogues. No public exploit identified at time of analysis, though a researcher technical write-up is publicly available at g03m0n.github.io, and EPSS exploitation probability is low at 0.05% (16th percentile). Notable discrepancy: CVSS impact scores (C:L/I:L) appear understated relative to the arbitrary code execution claim and should be treated with caution.
Technical ContextAI
Koha is an open-source ILS built in Perl, used by public, academic, and special libraries worldwide. The Z39.50 protocol (ISO 23950) is a bibliographic search-and-retrieve standard; Koha exposes a configuration module allowing administrators to define remote Z39.50 server targets. CWE-94 (Code Injection) identifies the root cause: user-supplied input is incorporated into a code execution context without sufficient sanitization or sandboxing, enabling injection of executable logic. This is distinct from command injection (CWE-78) - the injected payload is interpreted as code by the application runtime rather than passed to an OS shell, though the practical impact (arbitrary execution) may be similar. CPE data returned as 'n/a:n/a' by NVD, meaning vendor-confirmed CPE strings are not yet formally registered; affected product scope is derived from the CVE description and EUVD entry rather than NVD CPE.
RemediationAI
Upstream fix availability is not confirmed from the provided data - no patched release version is referenced in any of the advisory sources. Organizations should monitor the Koha Community GitHub repository (https://github.com/Koha-Community/Koha) and the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-26379) for patch releases. As a compensating control, restrict access to the Z39.50 configuration module at the application or network layer - limit it to trusted administrative IP ranges or authenticated admin sessions only; this reduces the attack surface if the PR:N vector is accurate and reduces exposure if it is not. Disabling the Z39.50 configuration module entirely is an option for sites that do not use Z39.50 target federation, though this will disable the ability to search remote library catalogues. Web application firewall rules filtering code injection patterns on the Z39.50 configuration endpoint may provide partial mitigation but should not be relied upon as a primary control given CWE-94 payloads can be highly polymorphic.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34170
GHSA-7pjj-942q-wrwg