> For the complete documentation index, see [llms.txt](https://lgnas.gitbook.io/findings/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lgnas.gitbook.io/findings/cve-2026-50765.md).
# CVE-2026-50765
## About the Application
Koha is an open source, web-based integrated library system (ILS) used by libraries of all types worldwide to manage cataloguing, circulation, acquisitions and patron records. It provides two main interfaces: a staff interface (the intranet) for library administration and an Online Public Access Catalogue (OPAC) through which library users can search and browse the collection.
## About the Finding
A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (`display_text` field).
## Proof of Concept
1. Log in to the Koha staff interface with an administrator or superlibrarian account.
2. Navigate to Administration > Patron restriction types.
3. Create a new restriction type. Set the Label field to:
```
';
```
4. Save the restriction type.
5. Navigate back to Administration > Patron restriction types, or open the edit form for any other restriction type.
6. The onerror handler fires when the page loads.
The browser receives the following from the server:
```
',
};
```
The browser closes the script block at ``, renders the `img` tag as HTML, and fires the `onerror` handler in the staff intranet context.
## Conclusion
An authenticated administrator navigates to Administration > Patron restriction types in the Koha staff interface, creates or edits a restriction type, and sets the Label field to a crafted value containing a script block termination sequence followed by an HTML payload. The value is stored in the database without sanitisation and subsequently rendered without encoding inside a JavaScript object literal in the restriction type administration template using the Template Toolkit `$raw` filter. The injected script executes in the browser of any staff member who loads the restriction type administration page.
#### Root cause
`admin/restrictions.tt lines 263 to 267 (both 24.05 and 25.11)` use `[% ex.display_text | $raw %]` inside a single-quoted JavaScript string literal with no JSON encoding applied.
#### Fix
Replace `[% ex.code | $raw %]: '[% ex.display_text | $raw %]'` with `[% ex.code | json %]: [% ex.display_text | json %]`
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://lgnas.gitbook.io/findings/cve-2026-50765.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.