CVE-2025-22954

Name of the Vulnerable Software and Affected Versions Koha versions prior to 24.11.02

Description The issue allows SQL injection in /serials/lateissues-export.pl via the supplierid or serialid parameter. This could let attackers access sensitive data, tamper with records, or wipe out databases entirely. A remote attacker without privileges can cause remote code execution. It is estimated that over 39,000 results are found to be potentially vulnerable.

Recommendations For versions prior to 24.11.02, update to version 24.11.02 or later to protect sensitive data. As a temporary workaround, consider restricting access to the /serials/lateissues-export.pl endpoint until a patch is available. Avoid using the supplierid or serialid parameters in the affected API endpoint until the issue is resolved.