CVE-2024-36057
CVSS Score
9.8
EPSS Score
0.1%
EPSS Percentile
27th
Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images.
| Vendor | n/a |
| Product | n/a |
| Published | Apr 7, 2026 |
| Last Updated | Apr 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for n/a n/a
Be the first to know when new critical vulnerabilities affecting n/a n/a are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
n/a / n/a
n/a
References
gitlab.com: https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md gitlab.com: https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md github.com: https://github.com/hacklantic/Research/tree/main/CVE-2024-36057 koha-community.org: https://koha-community.org/koha-22-05-22-released/