CVE-2026-26378
Analyzed Analyzed - Analysis Complete
Cross Site Scripting in Koha Invoice File Upload

Publication date: 2026-06-03

Last updated on: 2026-06-04

Assigner: MITRE

Description
Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-26378
EUVD
EUVD-2026-34169
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
koha koha to 25.11.00 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26378 is a Cross-Site Scripting (XSS) vulnerability in Koha, an open-source integrated library system, affecting versions up to and including 25.11.

The vulnerability allows attackers to upload malicious SVG files containing JavaScript payloads via the file upload function in the Invoice features.

Because the application renders these SVG files inline due to its handling of image Content-Types, the malicious JavaScript executes in the victim's browser when the file is viewed.

The attack involves creating a vendor, generating an invoice, and uploading the malicious SVG file through a specific URL.

This vulnerability is classified as a zero-day issue and was disclosed on December 31, 2025.

Compliance Impact

The vulnerability allows attackers to execute arbitrary JavaScript code via a file upload function, potentially leading to unauthorized access to sensitive data and impersonation of privileged users.

Such unauthorized access and data exfiltration could compromise the confidentiality and integrity of user data, which are key requirements under regulations like GDPR and HIPAA.

Therefore, exploitation of this vulnerability may lead to non-compliance with these standards due to potential data breaches and failure to protect personal or sensitive information.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the browsers of users who view the maliciously uploaded SVG files.

This can lead to unauthorized actions such as stealing sensitive information, session hijacking, or impersonating users within the Koha system.

Since the vulnerability is triggered via the invoice file upload feature, attackers can target users who access or manage invoices.

Detection Guidance

This vulnerability involves uploading malicious SVG files containing JavaScript payloads via the invoice file upload feature in Koha versions up to 25.11.

Detection can focus on monitoring for suspicious SVG file uploads or unusual HTTP POST requests to the invoice upload URL that contain embedded JavaScript.

Specific commands are not provided in the resources, but general approaches include:

  • Using web server logs to search for POST requests to invoice upload endpoints with SVG files.
  • Scanning uploaded files for embedded JavaScript or suspicious content.
  • Using network monitoring tools to detect unusual traffic patterns related to file uploads.
Mitigation Strategies

Immediate mitigation steps include restricting or disabling the invoice file upload feature to prevent uploading SVG files with embedded JavaScript.

Additionally, validating and sanitizing uploaded files to block SVG files containing scripts can reduce risk.

Applying any available patches or updates from the Koha community once released is also critical.

Until patches are available, monitoring and restricting user permissions to trusted users can help limit exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26378. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart