koha-community/Koha

GitLab

gitlab.com

Releases710

Frequency1 week 5 days

Last Release 24 days ago

Stars37

Koha is a free software integrated library system (ILS). Koha is distributed under the GNU GPL version 3 or later. Note: this is a synced mirror of the official Koha repo. Note: This project uses its own bug tracker, see https://bugs.koha-community.org/ to report a bug or submit a patch.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2024-36058 ↗	Apr 7, 2026Tuesday, 7 April 2026, 17:16	9.8 CRITICAL	—
The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database.
CVE-2024-36057 ↗	Apr 7, 2026Tuesday, 7 April 2026, 16:16	9.8 CRITICAL	—
Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images.