Koha
by Koha
Source repositories
CVEs (31)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-26377 | 0.00 | — | 0.00 | Mar 5, 2026 | Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function. | |||
| CVE-2024-28740 | 0.00 | — | 0.01 | Aug 6, 2024 | Cross Site Scripting vulnerability in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via the additonal-contents.pl component. | |||
| CVE-2024-24337 | 0.00 | — | 0.01 | Feb 12, 2024 | CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components. | |||
| CVE-2023-44961 | 0.00 | — | 0.01 | Oct 11, 2023 | SQL Injection vulnerability in Koha Library Software 23.0.5.04 and before allows a remote attacker to obtain sensitive information via the intranet/cgi bin/cataloging/ysearch.pl. component. | |||
| CVE-2023-5025 | 0.00 | — | 0.01 | Sep 17, 2023 | A vulnerability was found in KOHA up to 23.05.03. It has been declared as problematic. This vulnerability affects unknown code of the file /cgi-bin/koha/catalogue/search.pl of the component MARC. The manipulation leads to cross site scripting. The attack can be initiated… | |||
| CVE-2014-1925 | 0.00 | — | 0.02 | Jan 24, 2020 | SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arbitrary SQL commands via… | |||
| CVE-2014-1924 | 0.00 | — | 0.02 | Jan 24, 2020 | The MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 does not require authentication, which allows remote attackers to conduct SQL injection attacks via… | |||
| CVE-2014-1922 | 0.00 | — | 0.02 | Jan 24, 2020 | Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote attackers to read arbitrary files via unspecified vectors. | |||
| CVE-2014-1923 | 0.00 | — | 0.03 | Jan 24, 2020 | Multiple directory traversal vulnerabilities in the (1) staff interface help editor (edithelp.pl) or (2) member-picupload.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allow remote attackers to write to arbitrary files via… | |||
| CVE-2014-9446 | 0.00 | — | 0.01 | Jan 2, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sort_by parameter to the (1) opac parameter in opac-search.pl or (2) intranet parameter in… | |||
| CVE-2011-4715 | 0.00 | — | 0.09 | Dec 8, 2011 | Directory traversal vulnerability in cgi-bin/koha/mainpage.pl in Koha 3.4 before 3.4.7 and 3.6 before 3.6.1, and LibLime Koha 4.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the KohaOpacLanguage cookie to cgi-bin/opac/opac-main.pl, related… |
- CVE-2026-26377Mar 5, 2026risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function.
- CVE-2024-28740Aug 6, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via the additonal-contents.pl component.
- CVE-2024-24337Feb 12, 2024risk 0.00cvss —epss 0.01
CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components.
- CVE-2023-44961Oct 11, 2023risk 0.00cvss —epss 0.01
SQL Injection vulnerability in Koha Library Software 23.0.5.04 and before allows a remote attacker to obtain sensitive information via the intranet/cgi bin/cataloging/ysearch.pl. component.
- CVE-2023-5025Sep 17, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in KOHA up to 23.05.03. It has been declared as problematic. This vulnerability affects unknown code of the file /cgi-bin/koha/catalogue/search.pl of the component MARC. The manipulation leads to cross site scripting. The attack can be initiated…
- CVE-2014-1925Jan 24, 2020risk 0.00cvss —epss 0.02
SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arbitrary SQL commands via…
- CVE-2014-1924Jan 24, 2020risk 0.00cvss —epss 0.02
The MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 does not require authentication, which allows remote attackers to conduct SQL injection attacks via…
- CVE-2014-1922Jan 24, 2020risk 0.00cvss —epss 0.02
Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote attackers to read arbitrary files via unspecified vectors.
- CVE-2014-1923Jan 24, 2020risk 0.00cvss —epss 0.03
Multiple directory traversal vulnerabilities in the (1) staff interface help editor (edithelp.pl) or (2) member-picupload.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allow remote attackers to write to arbitrary files via…
- CVE-2014-9446Jan 2, 2015risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sort_by parameter to the (1) opac parameter in opac-search.pl or (2) intranet parameter in…
- CVE-2011-4715Dec 8, 2011risk 0.00cvss —epss 0.09
Directory traversal vulnerability in cgi-bin/koha/mainpage.pl in Koha 3.4 before 3.4.7 and 3.6 before 3.6.1, and LibLime Koha 4.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the KohaOpacLanguage cookie to cgi-bin/opac/opac-main.pl, related…
Page 2 of 2