{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-36057", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T13:49:52.148Z", "dateReserved": "2024-05-19T00:00:00.000Z", "datePublished": "2026-04-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T15:16:24.213Z"}, "descriptions": [{"lang": "en", "value": "Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line \"qx/unzip $filename -d $dirname/;\" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md"}, {"url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md"}, {"url": "https://github.com/hacklantic/Research/tree/main/CVE-2024-36057"}, {"url": "https://koha-community.org/koha-22-05-22-released/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T13:48:25.337882Z", "id": "CVE-2024-36057", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:49:52.148Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-36057", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T13:48:25.337882Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:49:44.140Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md"}, {"url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md"}, {"url": "https://github.com/hacklantic/Research/tree/main/CVE-2024-36057"}, {"url": "https://koha-community.org/koha-22-05-22-released/"}], "descriptions": [{"lang": "en", "value": "Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line \"qx/unzip $filename -d $dirname/;\" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T15:16:24.213Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36057", "state": "PUBLISHED", "dateUpdated": "2026-04-09T13:49:52.148Z", "dateReserved": "2024-05-19T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-07T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line \"qx/unzip $filename -d $dirname/;\" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images."}], "id": "CVE-2024-36057", "lastModified": "2026-04-09T14:16:24.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T16:16:21.390", "references": [{"source": "cve@mitre.org", "url": "https://github.com/hacklantic/Research/tree/main/CVE-2024-36057"}, {"source": "cve@mitre.org", "url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md"}, {"source": "cve@mitre.org", "url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md"}, {"source": "cve@mitre.org", "url": "https://koha-community.org/koha-22-05-22-released/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "calver", "value": "[0,23.05.10)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 86.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "koha_library_software", "vendor": "koha-community"}], "analysis": {"en": {"generated_at": "2026-04-10T11:24:48.386425+00:00", "value": {"mitigation_remediation": ["Upgrade Koha to version 23.05.10 or later, as the vulnerability has been patched in these releases.", "If an upgrade is not immediately possible, disable or remove the ability for users to upload ZIP archives through the Process Images feature or restrict the permission to trusted administrators only.", "Monitor application logs for attempts to use shell metacharacters or suspicious file names during the unzipping process.", "Apply general security best practices by ensuring that any file input is validated and all external commands are executed with sanitized arguments."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in Koha Library releases before version 23.05.10. The public release notes for 23.05.10 and later indicate that the issue has been addressed. Users operating with Koha 23.05.09 or earlier versions are exposed, while those running 23.05.10 or newer are not affected. No additional vendor or product name beyond Koha Library is cited.", "description_and_impact": "The Koha Library system fails to sanitize filenames provided by users before extracting ZIP archives. Consequently, the script upload\u2011cover\u2011image.pl executes the shell command qx/unzip $filename -d $dirname/; with the filename directly concatenated. An attacker can supply a crafted filename containing shell metacharacters, which are then executed by the underlying shell. This flaw is a form of code injection (CWE\u201194) and enables remote code execution, allowing the attacker to run arbitrary commands with the web process's privileges. Confidentiality, integrity, and availability of the affected environment could be compromised as a result.", "risk_and_exploitability": "The CVSS score of 9.8 marks this flaw as Critical. The EPSS score is below 1\u202f%, suggesting low current exploitation activity, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is likely web\u2011based: an authenticated or unauthenticated user might upload a malicious ZIP file and trigger the Process Images action. Successful exploitation would give an attacker remote code execution on the server, with full authority to modify data, exfiltrate information, or extend the attack surface. Administrators should assess whether the upload functionality is exposed to untrusted users and understand that the risk hinges on whether they can trigger the vulnerable script."}}}}, "created": "2026-04-08T19:50:21.306058+00:00", "title": "Command Injection via Untrusted Filenames in Koha Library File Upload", "updated": "2026-04-13T14:27:24.995313+00:00", "vendors": ["koha-community", "koha-community$PRODUCT$koha_library_software"]}