Impact
The vulnerability is a cross‑site scripting flaw that allows an authenticated administrator to inject arbitrary JavaScript into the patron restriction type administration page by manipulating the restriction type label (display_text field). The attacker can embed malicious code that will run in the browsers of any user who views that page, enabling session hijacking, defacement, or exfiltration of information.
Affected Systems
Koha Library Management System versions through 25.11 are affected. Only users with administrator privileges can create or edit restriction type labels via the display_text field, and thus can play the role of the attacker.
Risk and Exploitability
The CVSS score of 6.1 indicates moderate severity, while the EPSS score of < 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires remote access to the Koha web interface and a valid administrator account, limiting the attack surface to trusted staff. Once an attacker injects malicious scripts, any user who visits the affected page will have the scripts executed in their browser, exposing potential for session hijacking or data theft. No public exploit has been documented, and the vulnerability is not currently tracked in key exploitation databases.
OpenCVE Enrichment