Koha CVEs & Vulnerabilities
6 CVEs affecting Koha products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.
Most Affected Products
A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg).
A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).
A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field).
Koha versions up to 25.11 contain a Server-Side Request Forgery (SSRF) vulnerability via the Z39.50/SRU server configuration. This allows authenticated attackers to perform internal network scanning and identify running services by analyzing server response times.
Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features
Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function.