The vulnerability resides in the Z39.50 configuration module of Koha versions 25.11 and earlier and permits a remote attacker to execute arbitrary code on the host system. Because execution of arbitrary code is possible, an attacker can effectively gain full control over the affected instance, compromising confidentiality, integrity, and availability. The weakness is consistent with command or code injection flaws.

Koha library management system, versions 25.11 and earlier. The vulnerability affects all deployments that enable the Z39.50 configuration module without additional network isolation or input validation.

Although explicit CVSS or EPSS metrics are not provided, the nature of remote code execution classifies this as a high‑severity issue. No current exploitation evidence or KEV listing is reported, but the lack of a known mitigation path and the ability to run arbitrary commands present a significant risk. Attackers can reach the vulnerable module over the network, likely through standard Z39.50 service ports, and supply crafted configuration input to trigger the injection.