Description
Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field)
Published: 2026-06-26
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a cross‑site scripting vulnerability that lets an authenticated administrator inject arbitrary JavaScript into the patron restriction type administration page. The injected code runs in the browsers of any user who views that page, enabling session hijacking, defacement, or exfiltration of sensitive information.

Affected Systems

Koha Library Management System versions up to and including 25.11 are affected. The vulnerability is active for all users who possess administrator privileges and can create or edit restriction type labels through the display_text field.

Risk and Exploitability

The CVSS score is not disclosed and no EPSS value is available, so the exact severity cannot be quantified. The vulnerability requires administrative credentials, which limits the attack surface, but if an attacker controls an administrator account the risk is significant because injected scripts execute on every user who visits the page. The exploit is known to be in the public domain and is not listed in the CISA KEV catalog, indicating that it may not yet have seen widespread exploitation.

Generated by OpenCVE AI on June 26, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Koha release that contains the resolution for CVE-2026-50765 (any version newer than 25.11).
  • Limit the number of administrator accounts and enforce least privilege so that only trusted staff can access administration functions.
  • If an immediate upgrade is not feasible, sanitize the display_text field by removing any <script> tags or other executable content, or replace the field handling with input validation that rejects HTML.

Generated by OpenCVE AI on June 26, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Authenticated Cross‑Site Scripting in Koha Patron Restriction Type Administration Page
Weaknesses CWE-79

Fri, 26 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-26T21:36:48.392Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50765

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')