A critical SQL Injection vulnerability (CVE-2025-22954, CVSS 10) has been found in Koha, an open-source library management system. The flaw affects lateissues-export.pl due to improper sanitization of supplierid and serialid parameters in the GetLateOrMissingIssues function. It allows unauthenticated SQL injection in versions ≤ 21.11.x and authenticated SQL injection in later versions. Attackers could read, modify, or delete database records, leading to data breaches.

To mitigate the issue, Koha 24.11.02 has been released, fixing the vulnerability and introducing additional security enhancements, including XSS prevention, CSRF protection, safer template filters, and RCE fixes. Users are strongly advised to upgrade immediately.

‍