Cyber Resilience

CVE-2024-36057

CriticalRCE

Published: 07 April 2026

Published
07 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0180 75.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2024-36057 is a critical-severity Code Injection (CWE-94) vulnerability in Koha Community (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-36057 is a remote code execution vulnerability affecting Koha Library versions before 23.05.10. The flaw occurs due to insufficient sanitization of user-controllable filenames prior to unzipping in the upload-cover-image.pl script. Specifically, the command "qx/unzip $filename -d $dirname/;" directly incorporates attacker-controlled input into a system shell command, enabling command injection through shell metacharacters embedded in ZIP file filenames.

An unauthenticated remote attacker (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) by uploading a malicious ZIP file containing filenames with shell metacharacters and then clicking the "Process Images" button. Successful exploitation grants high-impact remote code execution on the server (C:H/I:H/A:H), as reflected in the CVSS v3.1 base score of 9.8 (S:U). The issue is classified under CWE-94 (Improper Control of Generation of Code).

Koha release notes for versions 23.05.10 and 23.05.11 document fixes for this vulnerability, recommending upgrades to at least 23.05.10. Mitigation details are available in the official Koha GitLab repositories, alongside a GitHub research repository demonstrating the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by…

more

an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated RCE via command injection in public-facing Koha web application (T1190) using shell metacharacters in ZIP filenames executed via Perl qx/unzip shell command (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26830Shared CWE-94
CVE-2024-54804Shared CWE-94
CVE-2025-67038Shared CWE-94
CVE-2024-54806Shared CWE-94
CVE-2026-25001Shared CWE-94
CVE-2025-26003Shared CWE-94
CVE-2024-23921Shared CWE-94
CVE-2026-30305Shared CWE-94
CVE-2024-54805Shared CWE-94
CVE-2024-54807Shared CWE-94

Affected Assets

Koha Community
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-controllable inputs like ZIP filenames prior to processing with system commands such as unzip, directly preventing command injection via shell metacharacters.

prevent

Mandates timely identification, reporting, and remediation of software flaws like this command injection vulnerability through patching to versions such as Koha 23.05.10.

prevent

Enforces restrictions on information inputs to block shell metacharacters in user-supplied filenames used in the upload-cover-image.pl script's unzip command.

References