CVE-2025-52360 is a Cross-Site Scripting (XSS) vulnerability identified in the OPAC (Online Public Access Catalog) search feature of the Koha Library Management System version 24.05. The vulnerability arises because the search input entered by users is not properly sanitized before being reflected in the search history interface. This lack of input validation allows an attacker to inject arbitrary JavaScript code into the search field, which is then stored and executed in the context of the user's browser when they interact with the search history interface. This type of stored XSS can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the user within the affected web application. Since the vulnerability is in the OPAC search feature, it potentially affects any user who accesses the search history, including library patrons and staff. The vulnerability does not require authentication to exploit, as the search feature is typically publicly accessible. However, exploitation requires user interaction with the maliciously crafted search history entry. No CVSS score has been assigned yet, and no known exploits are currently reported in the wild. The absence of patch links suggests that a fix may not yet be publicly available or that the vendor has not yet released an update addressing this issue.

For European organizations, particularly libraries and educational institutions using Koha LMS, this vulnerability poses a significant risk to the confidentiality and integrity of user data. Exploitation could allow attackers to execute malicious scripts in the browsers of library users or staff, potentially leading to theft of session cookies, personal information, or unauthorized actions such as modifying user accounts or accessing restricted resources. Given that Koha is an open-source library management system widely adopted across Europe, the impact could be broad, affecting numerous public and academic libraries. The vulnerability could undermine user trust in library systems and lead to reputational damage. Additionally, if exploited, it could facilitate further attacks such as phishing or malware distribution within the user base. The lack of authentication requirement increases the attack surface, as any internet user can attempt to inject malicious scripts. However, the need for user interaction to trigger the payload somewhat limits the immediacy of exploitation. Still, the stored nature of the XSS means that malicious code persists and can affect multiple users over time.

To mitigate this vulnerability, European organizations using Koha LMS should immediately implement input validation and output encoding on the OPAC search feature and the search history interface to ensure that any user-supplied input is properly sanitized before being rendered in the browser. Specifically, all special characters in search inputs should be escaped or removed to prevent script injection. Organizations should monitor official Koha security advisories for patches addressing this issue and apply updates promptly once available. In the interim, administrators can consider disabling or restricting access to the search history feature to reduce exposure. Employing Content Security Policy (CSP) headers can help limit the impact of any injected scripts by restricting the sources from which scripts can be executed. Additionally, user education about the risks of interacting with suspicious search history entries and regular security audits of the Koha installation can help detect and prevent exploitation. Logging and monitoring for unusual activity related to the search feature may also aid in early detection of attempted attacks.