CVE Catalog

CVE-2026-50767

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

A stored cross-site scripting (XSS) vulnerability in Koha Library Management System versions 0 through 25.11 allows an authenticated remote attacker with admin privileges to inject arbitrary scripts via the item type check-in message field.

Risk Assessment

An attacker can inject a malicious script that executes in other administrators' browsers, potentially leading to session theft, data modification, or further escalation within the library system.

Recommendation

Upgrade Koha to a version newer than 25.11 immediately to patch the vulnerability. Additionally, restrict admin privileges and implement input validation.

Original NVD description (English source)

A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS