CVE-2026-26378
Cross Site Scripting in Koha Invoice File Upload
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| koha_community | koha | to 25.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26378 is a Cross-Site Scripting (XSS) vulnerability in Koha, an open-source integrated library system, affecting versions up to and including 25.11.
The vulnerability allows attackers to upload malicious SVG files containing JavaScript payloads via the file upload function in the Invoice features.
Because the application renders these SVG files inline due to its handling of image Content-Types, the malicious JavaScript executes in the victim's browser when the file is viewed.
The attack involves creating a vendor, generating an invoice, and uploading the malicious SVG file through a specific URL.
This vulnerability is classified as a zero-day issue and was disclosed on December 31, 2025.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary JavaScript code via a file upload function, potentially leading to unauthorized access to sensitive data and impersonation of privileged users.
Such unauthorized access and data exfiltration could compromise the confidentiality and integrity of user data, which are key requirements under regulations like GDPR and HIPAA.
Therefore, exploitation of this vulnerability may lead to non-compliance with these standards due to potential data breaches and failure to protect personal or sensitive information.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the browsers of users who view the maliciously uploaded SVG files.
This can lead to unauthorized actions such as stealing sensitive information, session hijacking, or impersonating users within the Koha system.
Since the vulnerability is triggered via the invoice file upload feature, attackers can target users who access or manage invoices.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves uploading malicious SVG files containing JavaScript payloads via the invoice file upload feature in Koha versions up to 25.11.
Detection can focus on monitoring for suspicious SVG file uploads or unusual HTTP POST requests to the invoice upload URL that contain embedded JavaScript.
Specific commands are not provided in the resources, but general approaches include:
- Using web server logs to search for POST requests to invoice upload endpoints with SVG files.
- Scanning uploaded files for embedded JavaScript or suspicious content.
- Using network monitoring tools to detect unusual traffic patterns related to file uploads.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the invoice file upload feature to prevent uploading SVG files with embedded JavaScript.
Additionally, validating and sanitizing uploaded files to block SVG files containing scripts can reduce risk.
Applying any available patches or updates from the Koha community once released is also critical.
Until patches are available, monitoring and restricting user permissions to trusted users can help limit exploitation.