CVE-2026-26378: Koha Invoice XSS Vulnerability – Stored Script Injection in Library Management
Koha, an open-source library management system, contains a cross-site scripting (XSS) vulnerability in its Invoice feature file upload functionality. An authenticated attacker can craft a malicious file upload that executes arbitrary code in the browsers of users who interact with the uploaded invoice. The vulnerability affects Koha version 25.11 and earlier. Exploitation requires an attacker to have valid library system credentials and user interaction—typically a staff member viewing or processing the invoice.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a stored cross-site scripting vulnerability (CWE-79) in Koha's Invoice module file upload handler. The vulnerability arises from insufficient input sanitization and output encoding of uploaded file names or content processed during invoice creation or retrieval. An authenticated attacker with permission to upload invoice files can inject malicious scripts that persist in the application. When authorized users (likely library staff) access or process the invoice, the injected script executes in their session context with the same privileges, potentially allowing session hijacking, credential theft, or unauthorized modification of library records. The CVSS 3.1 score of 5.4 (Medium) reflects the requirement for valid credentials, user interaction, and limited impact scope.
Business impact
Library staff productivity could be disrupted if attackers inject scripts that manipulate the user interface or redirect staff to phishing pages during invoice processing workflows. Compromised staff sessions could lead to unauthorized changes to patron records, financial data, or library configurations. The attack surface is limited to users with invoice management responsibilities, but the persistence of stored XSS means the threat remains until patching. For multi-branch library systems sharing a single Koha instance, a single upload could affect dozens of staff members. Reputational risk exists if patron data becomes exposed through hijacked staff accounts.
Affected systems
Koha versions 25.11 and earlier are affected. This includes all production deployments of Koha using the vulnerable release track. Organizations running self-hosted Koha instances are directly impacted. Hosted Koha service providers should verify their deployment versions immediately. The vulnerability is specific to the Invoice feature's file upload mechanism, so organizations that do not use Koha's invoicing module may have reduced but not eliminated exposure, depending on whether the vulnerable code is loaded in memory.
Exploitability
Exploitation is moderately straightforward but constrained by prerequisites. An attacker must possess valid Koha credentials with invoice upload permissions—typically a library staff member account or a compromised administrative account. The attack does not require advanced technical skill; crafting a malicious file name or embedding script in an invoice document is within the capability of script-kiddie-level attackers. However, widespread impact requires either multiple compromised accounts or social engineering to convince a legitimate staff member to upload a prepared malicious file. The CVSS vector indicates that network access is available (AV:N) and attack complexity is low (AC:L), but authentication (PR:L) and user interaction (UI:R) are mandatory barriers. The vulnerability is not publicly weaponized as of the advisory date, and no active exploitation in the wild has been reported.
Remediation
Apply the latest patched version of Koha that addresses the file upload sanitization in the Invoice module. Verify the patch version against the official Koha security advisory and release notes. Pending patching, restrict invoice upload permissions to a minimal set of trusted staff members, implement network-level access controls to Koha's invoice interface, and monitor for suspicious file uploads or unusual script tags in invoice processing logs. For organizations unable to patch immediately, consider disabling the Invoice feature if operationally feasible.
Patch guidance
Check the official Koha release notes and security advisories for the next available version after 25.11 that contains a fix for this XSS vulnerability. Apply patches during a scheduled maintenance window after testing in a non-production environment. Verify that file upload handlers properly sanitize and encode all user-supplied input before storage and retrieval. After patching, clear any invoices uploaded during the vulnerability window or inspect them manually for suspicious content. Document the patch date and scope for compliance records.
Detection guidance
Monitor web server and application logs for invoice file uploads containing script tags, JavaScript event handlers, or encoded payloads. Search for file names with extensions that suggest scripts (e.g., .js, .html mixed with invoice naming conventions). Review user access logs for unusual patterns of invoice viewing immediately after uploads. Inspect the Koha database for stored scripts within invoice records or file metadata. Implement Web Application Firewall (WAF) rules to block common XSS patterns in file upload parameters. Alert on any instance of a staff member clicking links within an invoice document, as this may indicate successful exploitation.
Why prioritize this
This vulnerability merits prompt but not emergency attention. The Medium CVSS score and authentication requirement mean this is not a critical, worm-capable threat. However, the stored nature of the XSS and the persistence of the payload until patching mean that any exploitation will have sustained impact across multiple user sessions. Libraries should prioritize patching this within their standard monthly or quarterly security update cycle, ahead of lower-severity issues but below zero-day or high-CVSS threats. Organizations with high-risk patron data (PII, reading histories) or those in regulated environments should move it to a higher priority.
Risk score, explained
The CVSS 3.1 score of 5.4 reflects a network-accessible vulnerability requiring valid credentials and user interaction, with limited confidentiality and integrity impact and no availability impact. The score would be higher if the vulnerability allowed unauthenticated exploitation or affected a wider scope than the authenticated user's session. The stored nature of XSS is a concerning factor not fully reflected in the base CVSS, as it increases the blast radius compared to reflected XSS, but the requirement for staff involvement and the narrowness of the Invoice feature module prevent a High rating.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires valid Koha credentials and typically invoice management permissions. An attacker must already have a library staff account or compromise one to upload malicious files.
Does this vulnerability allow direct server compromise or remote code execution on the Koha server?
No. This is a cross-site scripting vulnerability executed in the user's browser, not on the server. It allows an attacker to hijack a staff member's session or steal data accessible to that user, but not to run arbitrary code on the Koha server itself.
If we don't use the Invoice feature, are we still at risk?
The vulnerability is specific to the Invoice module's file upload handler. If your Koha instance does not use invoicing, the risk is substantially lower, though the vulnerable code may still be present. Patching is still recommended to prevent accidental exposure if the feature is enabled in the future.
How quickly should we patch this?
Given the Medium severity and authentication requirements, patching within 30–60 days is reasonable for most organizations. However, if your library operates in a regulated environment (e.g., healthcare integration) or handles sensitive patron data, prioritize patching within 2 weeks.
This analysis is provided for informational purposes to support security decision-making. SEC.co does not guarantee the accuracy or completeness of vendor patch availability or timelines. Organizations should independently verify patch versions, compatibility, and testing requirements against official Koha security advisories before deployment. No liability is assumed for misuse of this information or for decisions made based solely on this assessment. Consult your Koha vendor or the Koha community security team for official guidance on remediation and patch release schedules. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1