> For the complete documentation index, see [llms.txt](https://lgnas.gitbook.io/findings/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lgnas.gitbook.io/findings/cve-2026-50767.md).
# CVE-2026-50767
## About the Application
Koha is an open source, web-based integrated library system (ILS) used by libraries of all types worldwide to manage cataloguing, circulation, acquisitions and patron records. It provides two main interfaces: a staff interface (the intranet) for library administration and an Online Public Access Catalogue (OPAC) through which library users can search and browse the collection.
## About the Finding
A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message\
field (`checkinmsg`).
## Proof of Concept
1. Log in to the Koha staff interface with an administrator account.
2. Navigate to Administration > Item types.
3. Edit or create an item type. Set the Check-in message field to:
```
```
4. Save the item type.
5. Navigate back to Administration > Item types.
6. The onerror handler fires when the item type list renders.
## Conclusion
An authenticated administrator navigates to Administration > Item types in the Koha staff interface, creates or edits an item type, and sets the Check-in message field to a crafted HTML payload. The value is stored in the database without sanitisation and subsequently rendered using an incorrect Template Toolkit filter chain that applies `html_line_break` before `$raw`. Because `html_line_break` does not encode HTML special characters and `$raw` bypasses all HTML encoding, the payload is output verbatim to the browser of any staff member who views the item type administration page.
#### Root cause
`admin/itemtypes.tt line 486 (24.05) / line 508 (25.11)` uses the filter chain `[% itemtype.checkinmsg | html_line_break | $raw %]`. Template Toolkit applies filters left to right. `html_line_break` converts newlines to tags but does not encode HTML special characters. `$raw` then outputs the combined result without any encoding.
The correct filter order is `| html | html_line_break`, which encodes HTML characters first so special characters in the original value cannot be interpreted as markup.
#### Fix
Change `[% itemtype.checkinmsg | html_line_break | $raw %]` to `[% itemtype.checkinmsg | html | html_line_break %]`
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://lgnas.gitbook.io/findings/cve-2026-50767.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.