Description
Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images.
Published: 2026-04-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Koha Library system fails to sanitize filenames provided by users before extracting ZIP archives. Consequently, the script upload‑cover‑image.pl executes the shell command qx/unzip $filename -d $dirname/; with the filename directly concatenated. An attacker can supply a crafted filename containing shell metacharacters, which are then executed by the underlying shell. This flaw is a form of code injection (CWE‑94) and enables remote code execution, allowing the attacker to run arbitrary commands with the web process's privileges. Confidentiality, integrity, and availability of the affected environment could be compromised as a result.

Affected Systems

The vulnerability exists in Koha Library releases before version 23.05.10. The public release notes for 23.05.10 and later indicate that the issue has been addressed. Users operating with Koha 23.05.09 or earlier versions are exposed, while those running 23.05.10 or newer are not affected. No additional vendor or product name beyond Koha Library is cited.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as Critical. The EPSS score is below 1 %, suggesting low current exploitation activity, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely web‑based: an authenticated or unauthenticated user might upload a malicious ZIP file and trigger the Process Images action. Successful exploitation would give an attacker remote code execution on the server, with full authority to modify data, exfiltrate information, or extend the attack surface. Administrators should assess whether the upload functionality is exposed to untrusted users and understand that the risk hinges on whether they can trigger the vulnerable script.

Generated by OpenCVE AI on April 10, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Koha to version 23.05.10 or later, as the vulnerability has been patched in these releases.
  • If an upgrade is not immediately possible, disable or remove the ability for users to upload ZIP archives through the Process Images feature or restrict the permission to trusted administrators only.
  • Monitor application logs for attempts to use shell metacharacters or suspicious file names during the unzipping process.
  • Apply general security best practices by ensuring that any file input is validated and all external commands are executed with sanitized arguments.

Generated by OpenCVE AI on April 10, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Command Injection via Untrusted Filenames in Koha Library File Upload

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title Command Injection via Untrusted Filenames in Koha Library Cover‑Image Upload
Weaknesses CWE-78

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Koha-community
Koha-community koha Library Software
Vendors & Products Koha-community
Koha-community koha Library Software

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Command Injection via Untrusted Filenames in Koha Library Cover‑Image Upload
Weaknesses CWE-78

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images.
References

Subscriptions

Koha-community Koha Library Software
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T13:49:52.148Z

Reserved: 2024-05-19T00:00:00.000Z

Link: CVE-2024-36057

cve-icon Vulnrichment

Updated: 2026-04-09T13:49:44.140Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T16:16:21.390

Modified: 2026-04-09T14:16:24.570

Link: CVE-2024-36057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:27:24Z

Weaknesses