Summary: A critical SQL Injection vulnerability (CVE-2025-22954) has been discovered in Koha, a popular open-source library management system, affecting multiple versions. This flaw allows both unauthenticated and authenticated users to inject arbitrary SQL instructions, posing a severe risk to sensitive data. Koha version 24.11.02 has been released to address this issue, along with additional security enhancements.
Affected: Koha Library Management System
Keypoints :
- Vulnerability CVE-2025-22954 with a CVSS score of 10 allows SQL injection through unvalidated parameters.
- Unauthenticated users on Koha versions 21.11.x and earlier can exploit this flaw, while authenticated users on later versions can also be affected.
- Upgrade to Koha version 24.11.02 is highly recommended to mitigate this critical security risk, along with other security enhancements included in the release.