Koha
Monthly
Koha versions 25.11 and earlier contain a stored cross-site scripting vulnerability in the News function that allows authenticated users to inject malicious scripts affecting other users who view the compromised content. Public exploit code exists for this vulnerability, and attackers can leverage it to steal session data or perform actions on behalf of victims. A patch is not currently available for affected deployments.
Koha versions 25.11 and earlier contain a stored cross-site scripting vulnerability in the News function that allows authenticated users to inject malicious scripts affecting other users who view the compromised content. Public exploit code exists for this vulnerability, and attackers can leverage it to steal session data or perform actions on behalf of victims. A patch is not currently available for affected deployments.