Description
Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features
Published: 2026-06-03
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a stored cross‑site scripting weakness in the file upload function of Koha 25.11 and earlier. An attacker can upload a file that contains malicious JavaScript, which is then rendered when an invoice including that file is viewed. The injected code runs in the browsers of all users who open the invoice, allowing them to execute arbitrary client‑side actions. This is a CWE‑79 type vulnerability.

Affected Systems

Koha library management system, versions 25.11 and all earlier releases that enable file uploads within the Invoice module. The vulnerability is present whenever the file upload feature for invoices is available, regardless of user authentication level.

Risk and Exploitability

The attack requires an attacker to create a malicious file and a victim user to view the invoice containing that file. The likely attack vector is web‑based interaction with the invoice page and user interaction is required for exploitation. The EPSS score of < 1% indicates a very low probability of exploitation, though the potential for client‑side code execution still poses a meaningful risk. This flaw is not listed in the CISA KEV catalog, but it warrants remediation because it allows arbitrary JavaScript to run in users’ browsers.

Generated by OpenCVE AI on June 4, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Koha update past version 25.11 that removes the file upload XSS defect.
  • If no update is immediately available, block the invoice file upload capability or enforce strict file type validation to prevent malicious content from being uploaded.
  • Sanitize the uploaded files and the content rendered on invoice pages to eliminate executable scripts, following standard XSS mitigation practices.

Generated by OpenCVE AI on June 4, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Koha
Koha koha
CPEs cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*
Vendors & Products Koha
Koha koha

Thu, 04 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting via Invoice File Upload in Koha 25.11 and Earlier

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting via Invoice File Upload in Koha 25.11 and Earlier
Weaknesses CWE-79

Wed, 03 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Koha-community
Koha-community koha
Vendors & Products Koha-community
Koha-community koha

Wed, 03 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features
References

Subscriptions

Koha Koha
Koha-community Koha
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-04T12:29:08.564Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26378

cve-icon Vulnrichment

Updated: 2026-06-04T12:29:04.321Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T19:16:25.400

Modified: 2026-06-04T18:49:28.957

Link: CVE-2026-26378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T15:30:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')