CVSS: 7.7EPSS: 0%CPEs: 4EXPL: 0CVE-2025-30076
https://notcve.org/view.php?id=CVE-2025-30076
16 Mar 2025 — Koha before 24.11.02 allows admins to execute arbitrary commands via shell metacharacters in the tools/scheduler.pl report parameter. • https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39170 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-22954 – Koha SQL Injection
https://notcve.org/view.php?id=CVE-2025-22954
12 Mar 2025 — Koha <= 21.11 is contains a SQL Injection vulnerability in /serials/lateissues-export.pl via the supplierid parameter. GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter. Koha versions prior to 24.11.02 suffer from a remote SQL injection vulnerability in C4/Serials.pm. • https://packetstorm.news/files/id/189922 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.6EPSS: 2%CPEs: 1EXPL: 0CVE-2024-28739
https://notcve.org/view.php?id=CVE-2024-28739
06 Aug 2024 — An issue in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via a crafted script to the format parameter. • https://febin0x4e4a.wordpress.com/2024/03/07/xss-to-one-click-rce-in-koha-ils • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28740
https://notcve.org/view.php?id=CVE-2024-28740
06 Aug 2024 — Cross Site Scripting vulnerability in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via the additonal-contents.pl component. • https://febin0x4e4a.wordpress.com/2023/01/11/xss-vulnerability-in-koha-integrated-library-system • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-24336
https://notcve.org/view.php?id=CVE-2024-24336
19 Mar 2024 — A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components. • https://github.com/nitipoom-jar/CVE-2024-24336 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 1%CPEs: 2EXPL: 1CVE-2024-24337
https://notcve.org/view.php?id=CVE-2024-24337
12 Feb 2024 — CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components. Vulnerabilidad de inyección CSV en los endpoints '/members/moremember.pl' y '/admin/aqbudgets.pl' en Koha Library Management System versión 23.05.05 y anteriores permite a los atacantes inyectar comandos DDE en exportaciones csv a través de los co... • https://github.com/nitipoom-jar/CVE-2024-24337 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 7.8EPSS: 6%CPEs: 1EXPL: 1CVE-2023-44961
https://notcve.org/view.php?id=CVE-2023-44961
11 Oct 2023 — SQL Injection vulnerability in Koha Library Software 23.0.5.04 and before allows a remote attacker to obtain sensitive information via the intranet/cgi bin/cataloging/ysearch.pl. component. Vulnerabilidad de inyección SQL en Koha Library Software 23.0.5.04 y anteriores permite a un atacante remoto obtener información confidencial a través del componente intranet/cgi bin/cataloging/ysearch.pl. • https://github.com/ggb0n/CVE-2023-44961 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 3%CPEs: 1EXPL: 2CVE-2023-44962
https://notcve.org/view.php?id=CVE-2023-44962
11 Oct 2023 — File Upload vulnerability in Koha Library Software 23.05.04 and before allows a remote attacker to read arbitrary files via the upload-cover-image.pl component. Vulnerabilidad de carga de archivos en Koha Library Software 23.05.04 y anteriores permite a un atacante remoto leer archivos arbitrarios a través del componente upload-cover-image.pl. • https://github.com/ggb0n/CVE-2023-44962 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5025 – KOHA MARC search.pl cross site scripting
https://notcve.org/view.php?id=CVE-2023-5025
17 Sep 2023 — A vulnerability was found in KOHA up to 23.05.03. It has been declared as problematic. This vulnerability affects unknown code of the file /cgi-bin/koha/catalogue/search.pl of the component MARC. The manipulation leads to cross site scripting. The attack can be initiated remotely. • https://vuldb.com/?ctiid.239866 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 4EXPL: 1CVE-2014-1925
https://notcve.org/view.php?id=CVE-2014-1925
24 Jan 2020 — SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be leveraged by remote attackers using CVE-2014-1924. Una vulnerabilidad de inyección SQL en la función MARC framework import/export (archivo admin/import_export_framework.pl) en Koha versiones anterior... • http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •