CVE Catalog

CVE-2026-50766

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System versions 0 through 25.11 allows an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).

Risk Assessment

An attacker can steal user sessions, redirect users to malicious sites, or exfiltrate library data, compromising the confidentiality and integrity of the system.

Recommendation

Immediately upgrade Koha to version 25.11.xx or later, which includes a fix for this vulnerability. Until the update is applied, restrict edit_items permissions to trusted users only.

Original NVD description (English source)

A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS