{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26377", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-10T14:33:25.148Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-05T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-05T15:28:05.585Z"}, "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Koha-Community/Koha"}, {"url": "https://g03m0n.github.io/"}, {"url": "https://g03m0n.github.io/posts/cve-2026-26377/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T14:31:25.467420Z", "id": "CVE-2026-26377", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:33:25.148Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26377", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T14:31:25.467420Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:32:45.648Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Koha-Community/Koha"}, {"url": "https://g03m0n.github.io/"}, {"url": "https://g03m0n.github.io/posts/cve-2026-26377/"}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-05T15:28:05.585Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26377", "state": "PUBLISHED", "dateUpdated": "2026-03-10T14:33:25.148Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-05T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*", "matchCriteriaId": "25FAB290-1183-4E6F-8512-9ED7BBEA694C", "versionEndIncluding": "25.11.00", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function."}, {"lang": "es", "value": "Vulnerabilidad de Cross Site Scripting en Koha 25.11 y versiones anteriores permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s de la funci\u00f3n de Noticias."}], "id": "CVE-2026-26377", "lastModified": "2026-03-10T18:18:43.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T16:16:16.350", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://g03m0n.github.io/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://g03m0n.github.io/posts/cve-2026-26377/"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/Koha-Community/Koha"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,25.11]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "koha", "vendor": "koha-community"}], "analysis": {"en": {"generated_at": "2026-04-18T09:58:51.760996+00:00", "value": {"mitigation_remediation": ["Upgrade Koha to a version newer than 25.11, preferably the latest stable release.", "If an upgrade is not immediately feasible, disable the News function or restrict its use to trusted staff only using role\u2011based access control.", "Deploy a Content Security Policy that prevents the execution of inline scripts and limits script sources to trusted domains."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Koha library management system, versions 25.11 and earlier.", "description_and_impact": "A reflected cross\u2011site scripting flaw exists in the News function of Koha library management system up to and including version 25.11. An unauthenticated attacker can craft a request or URL that injects malicious JavaScript into the News page. When an end\u2011user views the page, the script runs with the browser context of that user, allowing execution of arbitrary code, theft of session data, defacement, or further compromise of the user\u2019s system. The weakness is identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, while an EPSS value of less than 1% suggests exploitation is currently unlikely but still possible. Because the vulnerability is remotely exploitable without authentication, any visitor to a vulnerable Koha site could be compromised. The flaw has not yet appeared in the CISA KEV catalog but is publicly documented, so attentive attackers could target unpatched installations. Implementing mitigations such as updating the software or applying defense\u2011in\u2011depth controls is recommended to prevent potential exploitation."}}}}, "created": "2026-03-06T15:18:22.755193+00:00", "title": "Koha 25.11 and Earlier: Reflected XSS in News Function", "updated": "2026-04-18T10:00:10.353869+00:00", "vendors": ["koha-community", "koha-community$PRODUCT$koha"]}