Description
A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg)
Published: 2026-06-26
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated administrator can inject arbitrary JavaScript into the item type check‑in message field of the Koha Library Management System through version 25.11. Because the application stores the input without proper escaping, the script runs whenever other users view the message, enabling attacks such as session hijacking, defacement, or data exfiltration. This is a identified by CWE-79.

Affected Systems

The vulnerability exists in Koha Library Management System versions up to and including 25.11. Any deployment that uses the item type administration page and grants administrators the ability to edit the check‑in message field is affected. No other vendor or product information is listed.

Risk and Exploitability

The CVSS or EPSS scores are not publicly disclosed, and the vulnerability is not listed in CISA KEV, indicating no known large‑scale exploitation at present. However, because the attack requires administrator privileges, the risk mainly applies to systems where such accounts are accessible over the network or from compromised local machines administrative access could use the stored script to compromise other users who view the page, but the overall exploitation probability remains moderate in the absence of broader exposure.

Generated by OpenCVE AI on June 26, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Koha installation to a version later than 25.11 that contains the patch for this issue.
  • Ensure that the check‑in message field content is properly encoded before being stored or displayed on the page.
  • Limit administrator access to trusted users and consider implementing role‑based access controls or additional authentication checks for the item type administration page.

Generated by OpenCVE AI on June 26, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting via Item Type Check‑In Message in Koha Library Management System
Weaknesses CWE-79

Fri, 26 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-26T21:39:20.784Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50767

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')