Filtered by vendor Koha-community
Subscriptions
Total
6 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-31844 | 1 Koha-community | 1 Koha | 2026-03-12 | 8.8 High |
| An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries via crafted requests to this parameter, allowing execution of unintended SQL statements and exposure of sensitive database information. Successful exploitation may lead to full compromise of the backend database, including disclosure or modification of stored data. | ||||
| CVE-2026-26377 | 2 Koha, Koha-community | 2 Koha, Koha | 2026-03-10 | 5.4 Medium |
| Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function. | ||||
| CVE-2024-24337 | 2 Koha, Koha-community | 2 Koha, Koha Library Software | 2025-09-29 | 8.8 High |
| CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components. | ||||
| CVE-2024-24336 | 2 Koha, Koha-community | 2 Koha, Koha Library Software | 2025-09-29 | 8.1 High |
| A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components. | ||||
| CVE-2023-44962 | 1 Koha-community | 1 Koha Library Software | 2024-11-21 | 5.3 Medium |
| File Upload vulnerability in Koha Library Software 23.05.04 and before allows a remote attacker to read arbitrary files via the upload-cover-image.pl component. | ||||
| CVE-2023-44961 | 1 Koha-community | 1 Koha Library Software | 2024-11-21 | 7.5 High |
| SQL Injection vulnerability in Koha Library Software 23.0.5.04 and before allows a remote attacker to obtain sensitive information via the intranet/cgi bin/cataloging/ysearch.pl. component. | ||||
Page 1 of 1.