Description
A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).
Published: 2026-06-26
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists on the OPAC item detail page of Koha Library Management System from version 0 up to 25.11. An authenticated attacker who has the edit_items permission can insert arbitrary JavaScript into the item public notes field (items.itemnotes). When a user opens the affected item’s detail page, the stored script runs in the victim’s browser context, potentially executing malicious code and compromising the user’s session or data.

Affected Systems

Koha Library Management System releases 0 through 25.11, irrespective of the deployment environment, are impacted because the vulnerability resides in the standard OPAC item detail page handling.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of <1% reflects a very low probability of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog. Exploitation requires that the attacker already possesses an account with edit_items rights; a compromised or fraudulently obtained account could therefore persistently embed malicious scripts that would affect all users who view the item detail page.

Generated by OpenCVE AI on June 29, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the edit_items permission to trusted staff members only or remove the ability to edit public notes for users who normally have this privilege.
  • Deploy a Content Security Policy that blocks the execution of inline scripts or JavaScript from untrusted sources on the OPAC item detail pages to mitigate XSS damage.
  • Review Koha’s official release notes or community advisories for any security updates that address the OPAC item notes handling flaw and apply them when available.
  • Continuously monitor for newly published patches or workarounds and apply them promptly.

Generated by OpenCVE AI on June 29, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 05 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
References

Mon, 29 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System through 25.11 allows an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes). A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).

Mon, 29 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Authenticated Stored XSS in Koha OPAC Item Public Notes

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Koha
Koha koha
Vendors & Products Koha
Koha koha

Sat, 27 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Authenticated Stored XSS in Koha OPAC Item Public Notes
Weaknesses CWE-79

Fri, 26 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System through 25.11 allows an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-05T01:36:00.879Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50766

cve-icon Vulnrichment

Updated: 2026-06-29T12:55:16.293Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T19:00:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')