PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50767 Koha CVE debrief

CVE-2026-50767 is a stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11. An authenticated remote attacker with administrator privileges can inject arbitrary web scripts via the item type check-in message field (checkinmsg). The vulnerability has a CVSS score of 5.4 and a severity of MEDIUM. The CVE was published on 2026-06-26T22:16:32.727Z and last modified on 2026-06-29T14:16:56.600Z. The vulnerability affects Koha Library Management System, but the vendor name and product name are not confirmed.

Vendor
Koha
Product
Koha Library Management System
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-26
Original CVE updated
2026-06-29
Advisory published
2026-06-26
Advisory updated
2026-06-29

Who should care

Administrators and users of Koha Library Management System through version 25.11 should be aware of this vulnerability. An attacker with administrator privileges can exploit this vulnerability to inject malicious scripts, potentially leading to security breaches. Users should ensure they are running a version of Koha that has addressed this vulnerability.

Technical summary

The vulnerability is a stored cross-site scripting (XSS) issue in the item type administration page of Koha Library Management System. An authenticated remote attacker with administrator privileges can inject arbitrary web scripts via the item type check-in message field (checkinmsg). The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The weakness associated with this vulnerability is CWE-79.

Defensive priority

This vulnerability has a medium severity and requires attention from administrators of Koha Library Management System. To mitigate this vulnerability, ensure that the system is updated to a version that addresses this issue, and consider implementing additional security measures such as input validation and content security policy.

Recommended defensive actions

  • Update Koha Library Management System to a version that addresses this vulnerability.
  • Implement input validation and content security policy to prevent similar vulnerabilities.
  • Monitor the system for suspicious activity and ensure administrator privileges are properly managed.
  • Consider conducting regular security audits and penetration testing to identify potential vulnerabilities.
  • Keep software and dependencies up-to-date to ensure the latest security patches are applied.

Evidence notes

The CVE-2026-50767 vulnerability was identified in Koha Library Management System through version 25.11. The vulnerability allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg). The CVSS score for this vulnerability is 5.4, and the severity is MEDIUM. The CVE was published on 2026-06-26T22:16:32.727Z and last modified on 2026-06-29T14:16:56.600Z.

Official resources

This article is AI-assisted and based on the supplied source corpus.