Cross Site Scripting Vulnerability in Koha by Koha Community
CVE-2026-26377

5.4MEDIUM

Key Information:

Vendor: Koha Community
Status: Koha
Vendor: CVE Published:; 5 March 2026

🔔 Create Koha Community Vulnerability Alert

What is CVE-2026-26377?

A Cross Site Scripting vulnerability exists in Koha versions 25.11 and earlier, allowing remote attackers to execute arbitrary code through the News functionality. This flaw presents a significant risk, as attackers can exploit it to gain unauthorized access and potentially control affected systems. Users are advised to update to the latest version of Koha and implement security best practices to mitigate this vulnerability.

References

https://github.com/Koha-Community/Koha

https://g03m0n.github.io/

https://g03m0n.github.io/posts/cve-2026-26377/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 5, 2026
Vulnerability Reserved
Feb 16, 2026

CVE-2026-26377 Data

JSON