CVE-2024-36057
Published: 07 April 2026
Summary
CVE-2024-36057 is a critical-severity Code Injection (CWE-94) vulnerability in Koha Community (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-36057 is a remote code execution vulnerability affecting Koha Library versions before 23.05.10. The flaw occurs due to insufficient sanitization of user-controllable filenames prior to unzipping in the upload-cover-image.pl script. Specifically, the command "qx/unzip $filename -d $dirname/;" directly incorporates attacker-controlled input into a system shell command, enabling command injection through shell metacharacters embedded in ZIP file filenames.
An unauthenticated remote attacker (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) by uploading a malicious ZIP file containing filenames with shell metacharacters and then clicking the "Process Images" button. Successful exploitation grants high-impact remote code execution on the server (C:H/I:H/A:H), as reflected in the CVSS v3.1 base score of 9.8 (S:U). The issue is classified under CWE-94 (Improper Control of Generation of Code).
Koha release notes for versions 23.05.10 and 23.05.11 document fixes for this vulnerability, recommending upgrades to at least 23.05.10. Mitigation details are available in the official Koha GitLab repositories, alongside a GitHub research repository demonstrating the issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-55537
Vulnerability details
Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by…
more
an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated RCE via command injection in public-facing Koha web application (T1190) using shell metacharacters in ZIP filenames executed via Perl qx/unzip shell command (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-controllable inputs like ZIP filenames prior to processing with system commands such as unzip, directly preventing command injection via shell metacharacters.
Mandates timely identification, reporting, and remediation of software flaws like this command injection vulnerability through patching to versions such as Koha 23.05.10.
Enforces restrictions on information inputs to block shell metacharacters in user-supplied filenames used in the upload-cover-image.pl script's unzip command.