Impact
A stored cross‑site scripting vulnerability exists on the OPAC item detail page of Koha Library Management System from version 0 up to 25.11. An authenticated attacker who has the edit_items permission can insert arbitrary JavaScript into the item public notes field (items.itemnotes). When a user opens the affected item’s detail page, the stored script runs in the victim’s browser context, potentially executing malicious code and compromising the user’s session or data.
Affected Systems
Koha Library Management System releases 0 through 25.11, irrespective of the deployment environment, are impacted because the vulnerability resides in the standard OPAC item detail page handling.
Risk and Exploitability
The CVSS score of 5.4 indicates moderate severity, while the EPSS score of <1% reflects a very low probability of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog. Exploitation requires that the attacker already possesses an account with edit_items rights; a compromised or fraudulently obtained account could therefore persistently embed malicious scripts that would affect all users who view the item detail page.
OpenCVE Enrichment