CVE-2026-50767
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
A stored cross-site scripting (XSS) vulnerability in Koha Library Management System versions 0 through 25.11 allows an authenticated remote attacker with admin privileges to inject arbitrary scripts via the item type check-in message field.
Risk Assessment
An attacker can inject a malicious script that executes in other administrators' browsers, potentially leading to session theft, data modification, or further escalation within the library system.
Recommendation
Upgrade Koha to a version newer than 25.11 immediately to patch the vulnerability. Additionally, restrict admin privileges and implement input validation.
Original NVD description (English source)
A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg).

