CVE-2026-26379

<= 25.11.00

Koha versions up to 25.11 contain a Server-Side Request Forgery (SSRF) vulnerability via the Z39.50/SRU server configuration. This

6.5MEDIUM

CVE-2026-26378

<= 25.11.00

Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload fun

5.4MEDIUM

CVE-2026-31844

>= 24.11.0 and < 24.11.12

An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestio

8.8HIGH

CVE-2026-26377

<= 25.11.00

Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News functi

5.4MEDIUM

CVE-2024-28740

<= 23.05.00

Cross Site Scripting vulnerability in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via the additon

9.6CRITICAL

CVE-2024-28739

<= 23.05.00

An issue in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via a crafted script to the format parame

7.2HIGH

CVE-2024-24337

<= 23.05.05

CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System vers

8.0HIGH

CVE-2023-5025

<= 23.05.03

A vulnerability was found in KOHA up to 23.05.03. It has been declared as problematic. This vulnerability affects unknown code of

3.5LOW

CVE-2014-1925

< 3.08.23

SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23,

9.8CRITICAL

CVE-2014-1924

< 3.08.23

The MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x

9.8CRITICAL

CVE-2014-1923

< 3.08.23

Multiple directory traversal vulnerabilities in the (1) staff interface help editor (edithelp.pl) or (2) member-picupload.pl in Ko

7.5HIGH

CVE-2014-1922

< 3.08.23

Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, a

7.5HIGH

CVE-2015-4633

>= 3.14.00 and < 3.14.16

Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x bef

9.8CRITICAL

CVE-2015-4632

>= 3.14.00 and < 3.14.16

Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20

7.5HIGH

CVE-2015-4631

>= 3.14.00 and < 3.14.16

Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, a

5.4MEDIUM

CVE-2015-4630

>= 3.14.00 and < 3.14.16

Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.1

8.0HIGH

CVE-2018-1000670

>= 16.11.0 and <= 16.11.13

KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vuln

6.1MEDIUM

CVE-2018-1000669

>= 16.11.0 and <= 16.11.13

KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSR

8.8HIGH

CVE-2015-4639

all versions

Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.

8.8HIGH

CVE-2014-9446

<= 3.16.05

Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remot

CVE-2011-4715

all versions

Directory traversal vulnerability in cgi-bin/koha/mainpage.pl in Koha 3.4 before 3.4.7 and 3.6 before 3.6.1, and LibLime Koha 4.2