A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field).
History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Koha
Koha library Management System
Vendors & Products Koha
Koha library Management System

Mon, 29 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Stored XSS in Koha Patron Restriction Type Administration Page

Mon, 29 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field) A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field).

Mon, 29 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Title Authenticated Cross‑Site Scripting in Koha Patron Restriction Type Administration Page

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Authenticated Cross‑Site Scripting in Koha Patron Restriction Type Administration Page
Weaknesses CWE-79

Fri, 26 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-26T00:00:00.000Z

Updated: 2026-06-29T17:01:57.463Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50765

cve-icon Vulnrichment

Updated: 2026-06-29T12:56:40.663Z

cve-icon NVD

No data.

cve-icon Redhat

No data.