Cyber Resilience

CVE-2025-52360

High

Published: 25 July 2025

Published
25 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0034 57.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52360 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-52360 is a Cross-Site Scripting (XSS) vulnerability, mapped to CWE-79, in the OPAC search feature of the Koha Library Management System version 24.05. Unsanitized user input entered into the search field is reflected without proper escaping in the search history interface. This allows arbitrary JavaScript code to execute in the victim's browser context when they interact with the search history. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by remote attackers with no privileges required, though it depends on user interaction. An attacker could entice a legitimate user—such as a library patron—to perform a search using a specially crafted payload via social engineering, such as a phishing link or malicious suggestion. Upon viewing the search history interface, the reflected input triggers JavaScript execution in the user's session, enabling theft of session tokens, cookies, or other sensitive data, manipulation of the DOM, or actions impersonating the user within the OPAC context.

Mitigation details are available in the referenced advisory at https://gist.github.com/MerttTuran/32289a1d3c173f0b7934237c1696bef1, published alongside the CVE on 2025-07-25.

EU & UK References

Vulnerability details

A Cross-Site Scripting (XSS) vulnerability exists in the OPAC search feature of Koha Library Management System v24.05. Unsanitized input entered in the search field is reflected in the search history interface, leading to the execution of arbitrary JavaScript in the…

more

browser context when the user interacts with the interface.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

XSS in public-facing web app (T1190) directly enables arbitrary JavaScript execution (T1059.007) for session cookie theft (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23538Shared CWE-79
CVE-2026-27099Shared CWE-79
CVE-2025-12716Shared CWE-79
CVE-2026-34563Shared CWE-79
CVE-2025-68883Shared CWE-79
CVE-2024-13875Shared CWE-79
CVE-2026-24778Shared CWE-79
CVE-2025-64539Shared CWE-79
CVE-2025-23683Shared CWE-79
CVE-2024-13055Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of unsanitized user inputs in the OPAC search field to prevent injection of arbitrary JavaScript payloads.

prevent

Mandates output filtering and encoding in the search history interface to block execution of reflected malicious scripts in the victim's browser.

prevent

Ensures timely identification, reporting, and remediation of the specific XSS flaw in Koha v24.05 OPAC via patching or code corrections.

References