By vendor

Koha vulnerabilities

Known CVEs affecting Koha products, prioritized by severity, with SEC.co remediation and detection guidance.

2 published vulnerabilities

  • CVE-2026-26379MEDIUM 6.5

    Koha, an open-source library management system, contains a Server-Side Request Forgery (SSRF) vulnerability in its Z39.50/SRU server configuration. An authenticated attacker can exploit this flaw to scan the internal network and discover which services are running by measuring how the server responds to requests. This vulnerability affects Koha versions up to and including 25.11.

  • CVE-2026-26378MEDIUM 5.4

    Koha, an open-source library management system, contains a cross-site scripting (XSS) vulnerability in its Invoice feature file upload functionality. An authenticated attacker can craft a malicious file upload that executes arbitrary code in the browsers of users who interact with the uploaded invoice. The vulnerability affects Koha version 25.11 and earlier. Exploitation requires an attacker to have valid library system credentials and user interaction—typically a staff member viewing or processing the invoice.