CVE-2025-22954

high-risk

Published 2025-03-12

GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter.

Do I need to act?

11.9% chance of exploitation in next 30 days

EPSS score — higher than 88% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 10.0/10 Critical

NETWORK / LOW complexity

References (2)

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38829

https://koha-community.org/koha-24-11-02-released/

/ 100

high-risk

Severity 33/34 · Critical

Exploitability 12/34 · Low

Exposure 5/34 · Minimal