What is CVE-2025-22954?

CVE-2025-22954 is a critical-severity vulnerability in Koha, classified under SQL Injection. CVSS score: 10.0/10. Published 2025-03-12.

How severe is CVE-2025-22954?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Is CVE-2025-22954 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SQL Injection in Koha

CVE-2025-22954

GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter.

Vulnerability class: SQL Injection

EPSS: 0.287 (96.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Koha — versions 0

Weakness classification (CWE)

CWE-89 — SQL Injection

Public proof-of-concept exploits

RandomRobbieBF/CVE-2025-22954
nomi-sec/PoC-in-GitHub
plzheheplztrying/cve_

References

bugs.koha-community.org/bugzilla3/show_bug.cgi
koha-community.org/koha-24-11-02-released/

Frequently asked questions

What is CVE-2025-22954?: CVE-2025-22954 is a critical-severity vulnerability in Koha, classified under SQL Injection. CVSS score: 10.0/10. Published 2025-03-12.
How severe is CVE-2025-22954?: Critical severity. CVSS v3 base score is 10.0 out of 10.
Is CVE-2025-22954 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.