Koha Koha
8 CVEs affecting Koha Koha. Latest disclosed: 2026-06-03. Critical: 1, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-22954 | Critical | 10.0 | 2025-03-12 | GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter. |
CVE-2026-31844 | High | 8.8 | 2026-03-11 | An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper… |
CVE-2015-4639 | High | 8.8 | 2017-07-21 | Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.20.x before 3.20.1 allows rem… |
CVE-2025-30076 | High | 7.7 | 2025-03-16 | Koha before 24.11.02 allows admins to execute arbitrary commands via shell metacharacters in the tools/scheduler.pl report parameter. |
CVE-2026-26379 | Medium | 6.5 | 2026-06-03 | Koha versions up to 25.11 contain a Server-Side Request Forgery (SSRF) vulnerability via the Z39.50/SRU server configuration. This allows authenticated attacke… |
CVE-2026-26378 | Medium | 5.4 | 2026-06-03 | Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features |
CVE-2014-9446 | | 2015-01-02 | Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitra… | |
CVE-2011-4715 | | 2011-12-08 | Directory traversal vulnerability in cgi-bin/koha/mainpage.pl in Koha 3.4 before 3.4.7 and 3.6 before 3.6.1, and LibLime Koha 4.2 and earlier allows remote att… |