Description
A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg).
Published: 2026-06-26
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated remote attacker with administrator privileges can inject arbitrary JavaScript into the item type check‑in message field via the item type administration page in Koha Library Management System versions 0 through 25.11. Because the application stores the input without proper escaping, the script runs whenever other users view the page, enabling attacks such as session hijacking, defacement, or data exfiltration. This is identified by CWE‑79.

Affected Systems

The vulnerability exists in Koha Library Management System versions up to and including 25.11. Any deployment that uses the item type administration page and grants administrators the ability to edit the check‑in message field is affected. No other vendor or product information is listed.

Risk and Exploitability

The CVSS score is 5.4 and the EPSS score is < 1%, and the vulnerability is not listed in CISA KEV, indicating no known large‑scale exploitation at present. However, because the attack requires administrator privileges, the risk mainly applies to systems where such accounts are accessible over the network or from compromised local machines. Administrative access could be used to inject the stored script to compromise other users who view the page, but the overall exploitation probability remains moderate in the absence of broader exposure.

Generated by OpenCVE AI on June 29, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Koha installation to a version later than 25.11 that contains the patch for this issue.
  • Ensure that the check‑in message field content is properly encoded before being stored or displayed on the page.
  • Limit administrator access to trusted users and consider implementing role‑based access controls or additional authentication checks for the item type administration page.

Generated by OpenCVE AI on June 29, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 05 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
References

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Koha
Koha library Management System
Vendors & Products Koha
Koha library Management System

Mon, 29 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Stored XSS in Koha Item Type Administration Page

Mon, 29 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg) A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg).

Mon, 29 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting via Item Type Check‑In Message in Koha Library Management System

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting via Item Type Check‑In Message in Koha Library Management System
Weaknesses CWE-79

Fri, 26 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg)
References

Subscriptions

Koha Library Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-05T01:36:07.460Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50767

cve-icon Vulnrichment

Updated: 2026-06-29T12:52:42.509Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:08:22Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')