Koha 22.11.24 released

Posted on Posted in 22.11, release, security

27 Feb 2025

Koha is the first free and open source software library automation
package (ILS). Development is sponsored by libraries of varying types
and sizes, volunteers, and support companies from around the world. The
website for the Koha project is:

Koha 22.11.24 can be downloaded from:

Installation instructions can be found at:

  • Koha Wiki
  • OR in the INSTALL files that come in the tarball

Koha 22.11.24 is a bugfix/maintenance release.

It includes 1 enhancements, 10 security fixes.

System requirements

You can learn about the system components (like OS and database) needed for running Koha on the community wiki.

Security bugs

  • 28907 Potential unauthorized access in public REST routes
  • 36081 ArticleRequestsSupportedFormats not enforced server-side
  • 37816 Stop SIP2 from logging passwords
  • 38454 Memory (L1) cache is not flushed before API requests
  • 38467 Template::Toolkit filters can create risky Javascript when not using RFC3986
  • 38469 Circulation returns vulnerable to reflected XSS
  • 38488 Add TT filter using HTML scrubber
  • 38829 [CVE-2025-22954] SQL Injection in lateissues-export.pl

  • 38961 XSS in vendor search

    Sponsored by Chetco Community Public Library

  • 39170 Remote Code Execution within Task Scheduler

Bugfixes

Fines and fees

Other bugs fixed

  • 28097 t/db_dependent/Koha/Account/Line.t test fails with FinesMode set to calculate

Documentation

The Koha manual is maintained in Sphinx. The home page for Koha
documentation is

The Git repository for the Koha manual can be found at

Translations

Complete or near-complete translations of the OPAC and staff
interface are available in this release for the following languages:

  • Arabic (ar_ARAB) (90%)
  • Armenian (hy_ARMN) (100%)
  • Bulgarian (bg_CYRL) (100%)
  • Chinese (Simplified) (96%)
  • Chinese (Traditional) (82%)
  • Czech (72%)
  • Dutch (89%)
  • English (100%)
  • English (New Zealand) (69%)
  • English (USA)
  • English (United Kingdom) (99%)
  • Finnish (96%)
  • French (100%)
  • French (Canada) (96%)
  • German (100%)
  • German (Switzerland) (56%)
  • Greek (70%)
  • Hindi (99%)
  • Italian (92%)
  • Norwegian Bokmål (69%)
  • Persian (fa_ARAB) (77%)
  • Polish (100%)
  • Portuguese (Brazil) (99%)
  • Portuguese (Portugal) (88%)
  • Russian (94%)
  • Slovak (68%)
  • Spanish (100%)
  • Swedish (88%)
  • Telugu (77%)
  • Tetum (54%)
  • Turkish (91%)
  • Ukrainian (79%)
  • hyw_ARMN (generated) (hyw_ARMN) (70%)

Partial translations are available for various other languages.

The Koha team welcomes additional translations; please see

For information about translating Koha, and join the koha-translate
list to volunteer:

The most up-to-date translations can be found at:

Release Team

The release team for Koha 24.05.07 is

  • Release Manager: Katrin Fischer

  • Release Manager assistants:

    • Tomás Cohen Arazi
    • Martin Renvoize
    • Jonathan Druart

  • QA Manager: Martin Renvoize

  • QA Team:

    • Victor Grousset
    • Lisette Scheer
    • Emily Lamancusa
    • David Cook
    • Jonathan Druart
    • Julian Maurice
    • Baptiste Wojtowski
    • Paul Derscheid
    • Aleisha Amohia
    • Laura Escamilla
    • Tomás Cohen Arazi
    • Kyle M Hall
    • Nick Clemens
    • Lucas Gass
    • Marcel de Rooy
    • Matt Blenkinsop
    • Pedro Amorim
    • Brendan Lawlor
    • Thomas Klausner

  • Security Manager: Tomás Cohen Arazi

  • Topic Experts:

    • UI Design — Owen Leonard
    • REST API — Tomás Cohen Arazi
    • Zebra — Fridolin Somers

  • Bug Wranglers:

    • Michaela Sieber
    • Jacob O’Mara
    • Jake Deery

  • Packaging Manager: Mason James

  • Documentation Manager: Philip Orr

  • Documentation Team:

    • Aude Charillon
    • David Nind
    • Caroline Cyr La Rose

  • Wiki curators:

    • George Williams
    • Thomas Dukleth
    • Jonathan Druart
    • Martin Renvoize

  • Release Maintainers:

    • 24.11 — Paul Derscheid
    • 24.05 — Wainui Witika-Park
    • 23.11 — Fridolin Somers
    • 22.11 — Laura Escamilla

Credits

We thank the following libraries, companies, and other institutions who are known to have sponsored
new features in Koha 22.11.24

  • Chetco Community Public Library

We thank the following individuals who contributed patches to Koha 22.11.24

  • Tomás Cohen Arazi (2)
  • David Cook (4)
  • Jonathan Druart (7)
  • Magnus Enger (1)
  • JesseM (2)
  • Julian Maurice (1)
  • Phil Ringnalda (3)
  • Marcel de Rooy (3)
  • Lari Taskula (7)

We thank the following libraries, companies, and other institutions who contributed
patches to Koha 22.11.24

We also especially thank the following individuals who tested patches
for Koha

  • Tomás Cohen Arazi (6)
  • Alex Buckley (8)
  • David Cook (1)
  • Jonathan Druart (2)
  • Magnus Enger (8)
  • Victor Grousset (13)
  • JesseM (12)
  • Brendan Lawlor (1)
  • Owen Leonard (1)
  • Jesse Maseto (10)
  • Julian Maurice (4)
  • Phil Ringnalda (2)
  • Marcel de Rooy (17)
  • Fridolin Somers (9)
  • wainuiwitikapark (2)
  • Baptiste Wojtkowski (1)

We regret any omissions. If a contributor has been inadvertently missed,
please send a patch against these release notes to koha-devel@lists.koha-community.org.

Revision control notes

The Koha project uses Git for version control. The current development
version of Koha can be retrieved by checking out the main branch of:

The branch for this version of Koha and future bugfixes in this release
line is 22.11.x.

Bugs and feature requests

Bug reports and feature requests can be filed at the Koha bug
tracker at:

He rau ringa e oti ai.
(Many hands finish the work)

Autogenerated release notes updated last on 27 Feb 2025 12:50:40.