A vulnerability was found in Koha up to 25.11 . It has been classified as problematic . Impacted is an unknown function of the component Invoice Feature . The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2026-26378 . It is possible to initiate the attack remotely. There is no exploit available.