{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-36057", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-07T15:16:24.213Z", "dateReserved": "2024-05-19T00:00:00.000Z", "datePublished": "2026-04-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T15:16:24.213Z"}, "descriptions": [{"lang": "en", "value": "Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line \"qx/unzip $filename -d $dirname/;\" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md"}, {"url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md"}, {"url": "https://github.com/hacklantic/Research/tree/main/CVE-2024-36057"}, {"url": "https://koha-community.org/koha-22-05-22-released/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line \"qx/unzip $filename -d $dirname/;\" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images."}], "id": "CVE-2024-36057", "lastModified": "2026-04-08T21:27:00.663", "metrics": {}, "published": "2026-04-07T16:16:21.390", "references": [{"source": "cve@mitre.org", "url": "https://github.com/hacklantic/Research/tree/main/CVE-2024-36057"}, {"source": "cve@mitre.org", "url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md"}, {"source": "cve@mitre.org", "url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md"}, {"source": "cve@mitre.org", "url": "https://koha-community.org/koha-22-05-22-released/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{}

{"analysis": {"en": {"generated_at": "2026-04-07T23:26:16.228514+00:00", "value": {"mitigation_remediation": ["Apply the Koha patch to version 23.05.10 or later to remove the flaw.", "If an upgrade cannot be performed immediately, disable the upload\u2011cover\u2011image functionality or restrict it to administrators only.", "As a temporary workaround, reject ZIP files that contain filenames with shell metacharacters or sanitize the filename prior to unzipping."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All releases of Koha Library older than 23.05.10, including the 22.x series and the 23.05.x releases up to 23.05.09, are affected. Any installation using the default cover\u2011image upload feature remains vulnerable until upgraded to 23.05.10 or later.", "description_and_impact": "Koha Library versions before 23.05.10 allow the execution of arbitrary system commands when a user uploads a ZIP file containing malicious filenames. The vulnerability arises because the supplied filename is directly inserted into the shell command that unzips the file, enabling command injection. Based on the description, it is inferred that an attacker could run arbitrary commands with the privileges of the web server process, potentially compromising confidentiality, integrity, and availability. The flaw is triggered when an attacker uploads a ZIP file and activates the Process Images action in the web interface.", "risk_and_exploitability": "The vulnerability lacks an official CVSS or EPSS score, but its nature indicates a high severity risk. The likely attack vector is the web interface: an attacker must be able to upload a ZIP file and trigger the Process Images action, which is normally possible by a registered user or any visitor with upload permissions. Although not listed in the CISA KEV catalog, the potential for remote code execution makes it a critical risk for any affected deployment."}}}}, "created": "2026-04-08T19:50:21.306058+00:00", "title": "Command Injection via Untrusted Filenames in Koha Library Cover\u2011Image Upload", "updated": "2026-04-08T19:50:21.306146+00:00", "vendors": [], "weaknesses": ["CWE-78"]}