Stored XSS in Koha version ≤25.11 (CVE-2026-26377)

Description and Impact

This vulnerability poses a critical risk as the malicious payload is saved on the server, affecting multiple users without requiring social engineering. Successful exploitation permits attackers to exfiltrate sensitive data, impersonate high-privileged users (Administrator account takeover), and compromise the confidentiality and integrity of the application.

Steps to Reproduce

(Tesing on Koha version 25.05.02.000 and tested on version 25.11)

Log in using an account with permission to add News.

Go to Tools → News → New Entry

Add any post and Save.

Then edit that post using Edit with Text Editor

Add payload : "><script>alert("Stored XSS")</script> into content.

Save → Trigger XSS

Additionally, when returning to the Mainpage, XSS is also Triggered because there are no measures to control the content before rendering it to the screen.