Description
A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field).
Published: 2026-06-26
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw that allows an authenticated administrator to inject arbitrary JavaScript into the patron restriction type administration page by manipulating the restriction type label (display_text field). The attacker can embed malicious code that will run in the browsers of any user who views that page, enabling session hijacking, defacement, or exfiltration of information.

Affected Systems

Koha Library Management System versions through 25.11 are affected. Only users with administrator privileges can create or edit restriction type labels via the display_text field, and thus can play the role of the attacker.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, while the EPSS score of < 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires remote access to the Koha web interface and a valid administrator account, limiting the attack surface to trusted staff. Once an attacker injects malicious scripts, any user who visits the affected page will have the scripts executed in their browser, exposing potential for session hijacking or data theft. No public exploit has been documented, and the vulnerability is not currently tracked in key exploitation databases.

Generated by OpenCVE AI on June 29, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Koha release newer than 25.11 that contains the fix for CVE‑2026‑50765.
  • Limit the number of administrator accounts and enforce least privilege so that only trusted staff can access the administration functions.
  • If an upgrade cannot be performed immediately, sanitize the display_text field by stripping <script> tags and other executable content or apply input validation that rejects HTML.

Generated by OpenCVE AI on June 29, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 05 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
References

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Koha
Koha library Management System
Vendors & Products Koha
Koha library Management System

Mon, 29 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Stored XSS in Koha Patron Restriction Type Administration Page

Mon, 29 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field) A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field).

Mon, 29 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Title Authenticated Cross‑Site Scripting in Koha Patron Restriction Type Administration Page

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Authenticated Cross‑Site Scripting in Koha Patron Restriction Type Administration Page
Weaknesses CWE-79

Fri, 26 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field)
References

Subscriptions

Koha Library Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-05T01:35:56.887Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50765

cve-icon Vulnrichment

Updated: 2026-06-29T12:56:40.663Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:08:24Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')