Description
Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function.
Published: 2026-03-05
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

A reflected cross‑site scripting flaw exists in the News function of Koha library management system up to and including version 25.11. An unauthenticated attacker can craft a request or URL that injects malicious JavaScript into the News page. When an end‑user views the page, the script runs with the browser context of that user, allowing execution of arbitrary code, theft of session data, defacement, or further compromise of the user’s system. The weakness is identified as CWE‑79.

Affected Systems

Koha library management system, versions 25.11 and earlier.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while an EPSS value of less than 1% suggests exploitation is currently unlikely but still possible. Because the vulnerability is remotely exploitable without authentication, any visitor to a vulnerable Koha site could be compromised. The flaw has not yet appeared in the CISA KEV catalog but is publicly documented, so attentive attackers could target unpatched installations. Implementing mitigations such as updating the software or applying defense‑in‑depth controls is recommended to prevent potential exploitation.

Generated by OpenCVE AI on April 18, 2026 at 09:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Koha to a version newer than 25.11, preferably the latest stable release.
  • If an upgrade is not immediately feasible, disable the News function or restrict its use to trusted staff only using role‑based access control.
  • Deploy a Content Security Policy that prevents the execution of inline scripts and limits script sources to trusted domains.

Generated by OpenCVE AI on April 18, 2026 at 09:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Koha 25.11 and Earlier: Reflected XSS in News Function

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Koha
Koha koha
Weaknesses CWE-79
CPEs cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*
Vendors & Products Koha
Koha koha
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Koha-community
Koha-community koha
Vendors & Products Koha-community
Koha-community koha

Thu, 05 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function.
References

Subscriptions

Koha Koha
Koha-community Koha
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-10T14:33:25.148Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26377

cve-icon Vulnrichment

Updated: 2026-03-10T14:32:45.648Z

cve-icon NVD

Status : Modified

Published: 2026-03-05T16:16:16.350

Modified: 2026-03-10T18:18:43.633

Link: CVE-2026-26377

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses