CVE Catalog

CVE-2026-50765

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile — higher than 12% of all known CVEs

Summary

A stored cross-site scripting (XSS) vulnerability was discovered in the patron restriction type administration page of Koha Library Management System versions 0 through 25.11. It allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field).

Risk Assessment

An attacker can execute malicious scripts in the browsers of other administrators, potentially leading to session theft, configuration changes, or further escalation within the library system.

Recommendation

Immediately update Koha to the latest available version that includes a fix for this vulnerability. Additionally, restrict administrator privileges and implement input validation.

Original NVD description (English source)

A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS