CVE-2026-26378

MEDIUM

Koha < 25.11 - Stored Cross-Site Scripting via Invoice File Upload

Title source: llm

Description

Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features

References (3)

Core 3

Core References

https://github.com/Koha-Community/Koha

https://g03m0n.github.io

https://g03m0n.github.io/posts/cve-2026-26378/

Scores

CVSS v3 5.4

EPSS 0.0026

EPSS Percentile 16.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

koha/koha < 25.11.00

Published Jun 03, 2026

Tracked Since Jun 04, 2026