VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 3, 2026

CVE-2026-26378

CVE-2026-26378

Description

Koha 25.11 and prior are vulnerable to XSS via file upload in invoice features, allowing remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Koha 25.11 and prior are vulnerable to XSS via file upload in invoice features, allowing remote code execution.

Vulnerability

A Cross-Site Scripting (XSS) vulnerability exists in Koha versions 25.11 and earlier. This vulnerability is located within the file upload functionality of the Invoice features. The issue arises because the application permits the upload and inline rendering of SVG files with an image Content-Type, which can contain malicious JavaScript payloads.

Exploitation

An attacker can exploit this vulnerability by first creating an invoice or identifying an existing one. Subsequently, they need to upload an SVG file containing an XSS payload, such as ``, via the invoice file upload interface. The vulnerability is triggered when another user clicks to view the uploaded SVG file, causing the embedded JavaScript to execute within their browser context.

Impact

Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary code within the context of the victim's browser. This can lead to various malicious actions, including session hijacking, data theft, or further compromise of the user's account and potentially the system, depending on the privileges of the user viewing the file.

Mitigation

Koha versions 25.11 and prior are affected. A fix for this vulnerability has been released. Users are advised to update to a patched version. Specific patch release details are not provided in the available references, but the vulnerability is considered 0-day and has been publicly disclosed [3].

References
  1. Cross-Site Scripting via File Upload in Koha (CVE-2026-26378)

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application allows inline rendering of SVG files with an image Content-Type, enabling the execution of embedded JavaScript payloads."

Attack vector

An attacker can exploit this vulnerability by uploading an SVG file containing a Cross-Site Scripting (XSS) payload to the invoice files feature. The application permits inline rendering for files with an image Content-Type, meaning that when a victim views the uploaded SVG file, the embedded JavaScript will execute in their browser. This allows for arbitrary code execution within the context of the victim's session. [ref_id=3]

Affected code

The vulnerability exists in the invoice files feature of Koha, specifically within the process of handling uploaded files for invoices. The issue arises when the application allows inline rendering for files with an image Content-Type, such as SVG, which can then contain and execute XSS payloads. [ref_id=3]

What the fix does

The patch is not explicitly detailed in the provided references. However, the vulnerability is described as an XSS via file upload in Koha version <= 25.11 [ref_id=3]. Remediation would typically involve sanitizing uploaded files or preventing the inline rendering of SVG files that contain executable scripts.

Preconditions

  • authThe attacker must have the ability to create or access an invoice within the Koha system.
  • inputThe attacker must be able to upload an SVG file containing an XSS payload.

Reproduction

First, create an arbitrary vendor (if one already exists, skip this step):

Vendor ABC was successfully created. Access Receive Shipments to create a new Invoice:

Successfully created an Invoice with invoiceid=3 :

Then, access the URL: cgi-bin/koha/acqui/invoice-files.pl?invoiceid=3 :

Proceed to upload an SVG file containing the XSS payload as follows: <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"></svg>

Since the application allows inline rendering for files with an image Content-Type, it is possible to upload an SVG file containing an XSS payload. Clicking to view the file will cause the JavaScript to execute in the browser → Triggering XSS. [ref_id=3]

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.