CVE-2026-26378 PUBLISHED

Assigner: mitre
Reserved: 16.02.2026 Published: 03.06.2026 Updated: 04.06.2026

Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features

Product Status

Vendor	n/a
Product	n/a
Versions	Version n/a is affected

References

https://github.com/Koha-Community/Koha
https://g03m0n.github.io
https://g03m0n.github.io/posts/cve-2026-26378/

Problem Types

n/a text