CVE-2026-50766
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System versions 0 through 25.11 allows an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).
Risk Assessment
An attacker can steal user sessions, redirect users to malicious sites, or exfiltrate library data, compromising the confidentiality and integrity of the system.
Recommendation
Immediately upgrade Koha to version 25.11.xx or later, which includes a fix for this vulnerability. Until the update is applied, restrict edit_items permissions to trusted users only.
Original NVD description (English source)
A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).

