Vulnerabilities
Vulnerable Software
Koha:  >> Koha  >> 16.05.02  Security Vulnerabilities
A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field).
CVSS Score
6.1
EPSS Score
0.002
Published
2026-06-26
A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).
CVSS Score
5.4
EPSS Score
0.002
Published
2026-06-26
A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg).
CVSS Score
5.4
EPSS Score
0.002
Published
2026-06-26
Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features
CVSS Score
5.4
EPSS Score
0.003
Published
2026-06-03
Koha versions up to 25.11 contain a Server-Side Request Forgery (SSRF) vulnerability via the Z39.50/SRU server configuration. This allows authenticated attackers to perform internal network scanning and identify running services by analyzing server response times.
CVSS Score
6.5
EPSS Score
0.002
Published
2026-06-03
Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function.
CVSS Score
5.4
EPSS Score
0.004
Published
2026-03-05
An issue in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via a crafted script to the format parameter.
CVSS Score
7.2
EPSS Score
0.177
Published
2024-08-06
Cross Site Scripting vulnerability in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via the additonal-contents.pl component.
CVSS Score
9.6
EPSS Score
0.007
Published
2024-08-06
CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components.
CVSS Score
8.0
EPSS Score
0.008
Published
2024-02-12
A vulnerability was found in KOHA up to 23.05.03. It has been declared as problematic. This vulnerability affects unknown code of the file /cgi-bin/koha/catalogue/search.pl of the component MARC. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-239866 is the identifier assigned to this vulnerability.
CVSS Score
3.5
EPSS Score
0.005
Published
2023-09-17


Contact Us

Shodan ® - All rights reserved