CVE-2024-36057

Critical

Published: 07 April 2026

Published

07 April 2026

Modified

09 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 34.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by…

an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of user-controllable inputs like ZIP filenames prior to processing with system commands such as unzip, directly preventing command injection via shell metacharacters.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and remediation of software flaws like this command injection vulnerability through patching to versions such as Koha 23.05.10.

SI-9 Information Input Restrictions partial match

prevent

Enforces restrictions on information inputs to block shell metacharacters in user-supplied filenames used in the upload-cover-image.pl script's unzip command.

Security SummaryAI

CVE-2024-36057 is a remote code execution vulnerability affecting Koha Library versions before 23.05.10. The flaw occurs due to insufficient sanitization of user-controllable filenames prior to unzipping in the upload-cover-image.pl script. Specifically, the command "qx/unzip $filename -d $dirname/;" directly incorporates attacker-controlled input into a system shell command, enabling command injection through shell metacharacters embedded in ZIP file filenames.

An unauthenticated remote attacker (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) by uploading a malicious ZIP file containing filenames with shell metacharacters and then clicking the "Process Images" button. Successful exploitation grants high-impact remote code execution on the server (C:H/I:H/A:H), as reflected in the CVSS v3.1 base score of 9.8 (S:U). The issue is classified under CWE-94 (Improper Control of Generation of Code).

Koha release notes for versions 23.05.10 and 23.05.11 document fixes for this vulnerability, recommending upgrades to at least 23.05.10. Mitigation details are available in the official Koha GitLab repositories, alongside a GitHub research repository demonstrating the issue.

Details

CWE(s): CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated RCE via command injection in public-facing Koha web application (T1190) using shell metacharacters in ZIP filenames executed via Perl qx/unzip shell command (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/hacklantic/Research/tree/main/CVE-2024-36057
cve@mitre.org
https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md
cve@mitre.org
https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md
cve@mitre.org
https://koha-community.org/koha-22-05-22-released/
cve@mitre.org