Koha CVEs & Vulnerabilities

6 CVEs affecting Koha products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

koha 6
CVE-2026-50767MEDIUM

A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg).

27 Jun 2026
5.4
CVSS
CVE-2026-50766MEDIUM

A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).

27 Jun 2026
5.4
CVSS
CVE-2026-50765MEDIUM

A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field).

27 Jun 2026
6.1
CVSS
CVE-2026-26379MEDIUM

Koha versions up to 25.11 contain a Server-Side Request Forgery (SSRF) vulnerability via the Z39.50/SRU server configuration. This allows authenticated attackers to perform internal network scanning and identify running services by analyzing server response times.

3 Jun 2026
6.5
CVSS
CVE-2026-26378MEDIUM

Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features

3 Jun 2026
5.4
CVSS
CVE-2026-26377MEDIUM

Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function.

5 Mar 2026
5.4
CVSS
← PrevPage 1 / 1Next →