g03m0n
Posts Categories Tags
g03m0n

Contents

Cross-Site Scripting via File Upload in Koha (CVE-2026-26378)

g03m0n  included in CVEs
   120 words   One minute 

Cross-Site Scripting via File Upload in Koha (CVE-2026-26378)

Description and Impact

Type Version Affected ?-day
XSS via File Upload ≤ 25.11 (latest) 0-day

Steps to Reproduce

First, create an arbitrary vendor (if one already exists, skip this step):

/images/CVE-2026-26378-0.png

Vendor ABC was successfully created. Access Receive Shipments to create a new Invoice:

/images/CVE-2026-26378-1.png

/images/CVE-2026-26378-2.png

Successfully created an Invoice with invoiceid=3 :

/images/CVE-2026-26378-3.png

Then, access the URL: cgi-bin/koha/acqui/invoice-files.pl?invoiceid=3 :

/images/CVE-2026-26378-4.png

Proceed to upload an SVG file containing the XSS payload as follows:

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"></svg>

/images/CVE-2026-26378-5.png

Since the application allows inline rendering for files with an image Content-Type, it is possible to upload an SVG file containing an XSS payload. Clicking to view the file will cause the JavaScript to execute in the browser → Triggering XSS.

/images/CVE-2026-26378-6.png

Updated on 2025-12-31
 CveKoha
Back | Home