CVE-2026-26377

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-26377

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26377.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-26377

Published

2026-03-05T16:16:16.350Z

Modified

2026-04-10T05:36:58.920289Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function.

References

Affected packages

Git / github.com/koha-community/koha

Affected ranges

Type

GIT

Repo

https://github.com/koha-community/koha

Events

Introduced

Last affected

3f2987eb19f7ac1987591d8e9b01961c39405b39

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "25.11.00"
        }
    ]
}

Affected versions

Other

R_1-2-2RC4

R_1-3-0

R_1-3-1

R_1-3-2

R_1-3-3

R_1-9-0

R_1-9-1

R_1-9-2

R_1-9-3

R_2-0-0RC1

R_2-0-0pre1

R_2-0-0pre2

R_2-0-0pre3

R_2-0-0pre4

R_2-0-0pre5

R_2-1

R_2-4

v16.*

v16.05.00

v16.05.00-beta

v16.11.00

v17.*

v17.05.00

v17.11.00

v18.*

v18.05.00

v18.05.00-rc1

v18.11.00

v19.*

v19.05.00

v19.11.00

v20.*

v20.05.00

v20.11.00

v21.*

v21.05.00

v21.11.00

v22.*

v22.05.00

v22.11.00

v23.*

v23.05.00

v23.11.00

v24.*

v24.05.00

v24.11.00

v25.*

v25.05.00-1

v25.05.00-2

v25.11.00

v3.*

v3.00.00

v3.00.00-alpha

v3.00.00-beta

v3.00.00-beta2

v3.00.00-stableRC1

v3.02.00-alpha

v3.02.00-alpha2

v3.02.00-beta

v3.04.00

v3.08.00

v3.12.00-alpha

v3.12.00-alpha2

v3.12.00-beta1

v3.14.00-alpha1

v3.14.00-alpha2

v3.14.00-beta

v3.16.00

v3.16.00-beta

v3.16.00-rc

v3.18.00

v3.18.00-beta

v3.20.00

v3.20.00-beta

v3.22.00

v3.22.00-beta

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26377.json"