CVE-2025-22954

CRITICAL

Koha <24.11.02 - SQL Injection

Title source: llm

Description

GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter.

Exploits (1)

nomisec WORKING POC 1 stars

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2025-22954

View Code ZIP pw:eip

References (2)

[Various Sources] https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38829

[Various Sources] https://koha-community.org/koha-24-11-02-released/

Scores

CVSS v3 10.0

EPSS 0.2110

EPSS Percentile 95.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

Koha/Koha < 24.11.02

Published Mar 12, 2025

Tracked Since Feb 18, 2026