diff --git a/C4/Letters.pm b/C4/Letters.pm
index ab16f729c5..25300bd5ec 100644
--- a/C4/Letters.pm
+++ b/C4/Letters.pm
@@ -602,6 +602,28 @@ sub GetPreparedLetter {
          return;
     my $want_librarian = $params{want_librarian};
 
+    $letter->{content} = _process_tt(
+        {
+            content    => $letter->{content},
+            lang       => $lang,
+            loops      => $loops,
+            objects    => $objects,
+            substitute => $substitute,
+            tables     => $tables,
+        }
+    );
+
+    $letter->{title} = _process_tt(
+        {
+            content    => $letter->{title},
+            lang       => $lang,
+            loops      => $loops,
+            objects    => $objects,
+            substitute => $substitute,
+            tables     => $tables,
+        }
+    );
+
     if (%$substitute) {
         while ( my ($token, $val) = each %$substitute ) {
             $val //= q{};
@@ -672,28 +694,6 @@ sub GetPreparedLetter {
         }
     }
 
-    $letter->{content} = _process_tt(
-        {
-            content    => $letter->{content},
-            lang       => $lang,
-            loops      => $loops,
-            objects    => $objects,
-            substitute => $substitute,
-            tables     => $tables,
-        }
-    );
-
-    $letter->{title} = _process_tt(
-        {
-            content    => $letter->{title},
-            lang       => $lang,
-            loops      => $loops,
-            objects    => $objects,
-            substitute => $substitute,
-            tables     => $tables,
-        }
-    );
-
     $letter->{content} =~ s/<<\S*>>//go; #remove any stragglers
 
     return $letter;
diff --git a/Koha.pm b/Koha.pm
index 9fccf7c268..38e852024c 100644
--- a/Koha.pm
+++ b/Koha.pm
@@ -29,7 +29,7 @@ use vars qw{ $VERSION };
 # - #4 : the developer version. The 4th number is the database subversion.
 #        used by developers when the database changes. updatedatabase take care of the changes itself
 #        and is automatically called by Auth.pm when needed.
-$VERSION = "22.11.15.000";
+$VERSION = "22.11.16.000";
 
 sub version {
     return $VERSION;
diff --git a/acqui/check_uniqueness.pl b/acqui/check_uniqueness.pl
index b665b34c3a..791814095f 100755
--- a/acqui/check_uniqueness.pl
+++ b/acqui/check_uniqueness.pl
@@ -37,6 +37,13 @@ use C4::Output qw( output_with_http_headers );
 use C4::Items qw( SearchItems );
 
 my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my @field = $input->multi_param('field[]');
 my @value = $input->multi_param('value[]');
 
diff --git a/catalogue/image.pl b/catalogue/image.pl
index 41eebc019c..efdcae4937 100755
--- a/catalogue/image.pl
+++ b/catalogue/image.pl
@@ -33,6 +33,13 @@ use Koha::CoverImages;
 $| = 1;
 
 my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $imagenumber;
 
 =head1 NAME
diff --git a/cataloguing/plugin_launcher.pl b/cataloguing/plugin_launcher.pl
index 90105f326c..b31ca52c89 100755
--- a/cataloguing/plugin_launcher.pl
+++ b/cataloguing/plugin_launcher.pl
@@ -19,10 +19,18 @@
 
 use Modern::Perl;
 use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
 
 use Koha::FrameworkPlugin;
 
 my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $plugin= Koha::FrameworkPlugin->new( {
     name => scalar $input->param("plugin_name"),
 });
diff --git a/cataloguing/value_builder/barcode.pl b/cataloguing/value_builder/barcode.pl
index b166b46c4d..5ec7dbece4 100755
--- a/cataloguing/value_builder/barcode.pl
+++ b/cataloguing/value_builder/barcode.pl
@@ -29,6 +29,16 @@ use Koha::DateUtils qw( dt_from_string );
 
 use Algorithm::CheckDigits qw( CheckDigits );
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};
diff --git a/cataloguing/value_builder/barcode_manual.pl b/cataloguing/value_builder/barcode_manual.pl
index a7d015ba7a..67891789e3 100755
--- a/cataloguing/value_builder/barcode_manual.pl
+++ b/cataloguing/value_builder/barcode_manual.pl
@@ -27,6 +27,16 @@ use C4::Barcodes::ValueBuilder;
 use C4::Biblio qw( GetMarcFromKohaField );
 use Koha::DateUtils qw( dt_from_string );
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};
diff --git a/cataloguing/value_builder/dateaccessioned.pl b/cataloguing/value_builder/dateaccessioned.pl
index 808fc80116..c4f7746b7f 100755
--- a/cataloguing/value_builder/dateaccessioned.pl
+++ b/cataloguing/value_builder/dateaccessioned.pl
@@ -21,6 +21,16 @@
 # along with Koha; if not, see <http://www.gnu.org/licenses>.
 
 use Modern::Perl;
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};
diff --git a/cataloguing/value_builder/marc21_field_005.pl b/cataloguing/value_builder/marc21_field_005.pl
index 545a1a4f91..6428bd61a9 100755
--- a/cataloguing/value_builder/marc21_field_005.pl
+++ b/cataloguing/value_builder/marc21_field_005.pl
@@ -21,6 +21,16 @@
 
 use Modern::Perl;
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};
diff --git a/cataloguing/value_builder/marc21_field_245h.pl b/cataloguing/value_builder/marc21_field_245h.pl
index 667ae2249a..4fe4a2f1e7 100755
--- a/cataloguing/value_builder/marc21_field_245h.pl
+++ b/cataloguing/value_builder/marc21_field_245h.pl
@@ -20,7 +20,17 @@
 # along with Koha; if not, see <http://www.gnu.org/licenses>.
 
 use Modern::Perl;
-use C4::Context;
+
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 
 my $builder = sub {
     my ( $params ) = @_;
diff --git a/cataloguing/value_builder/marc21_field_260b.pl b/cataloguing/value_builder/marc21_field_260b.pl
index 406feb4122..e9a74a07ba 100755
--- a/cataloguing/value_builder/marc21_field_260b.pl
+++ b/cataloguing/value_builder/marc21_field_260b.pl
@@ -27,6 +27,16 @@ biblioitems.publishercode
 use Modern::Perl;
 use C4::Context;
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};
diff --git a/cataloguing/value_builder/marc21_orgcode.pl b/cataloguing/value_builder/marc21_orgcode.pl
index aa9142cfc7..0dd985803c 100755
--- a/cataloguing/value_builder/marc21_orgcode.pl
+++ b/cataloguing/value_builder/marc21_orgcode.pl
@@ -24,6 +24,15 @@ use Modern::Perl;
 use C4::Context;
 
 use Koha::Libraries;
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
 
 my $builder = sub {
     my ( $params ) = @_;
diff --git a/cataloguing/value_builder/stocknumber.pl b/cataloguing/value_builder/stocknumber.pl
index 51d7a1986c..61885d12b0 100755
--- a/cataloguing/value_builder/stocknumber.pl
+++ b/cataloguing/value_builder/stocknumber.pl
@@ -21,6 +21,15 @@
 
 use Modern::Perl;
 use C4::Context;
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
 
 my $builder = sub {
     my ( $params ) = @_;
diff --git a/cataloguing/value_builder/upload.pl b/cataloguing/value_builder/upload.pl
index 82b9816f62..eeb422d525 100755
--- a/cataloguing/value_builder/upload.pl
+++ b/cataloguing/value_builder/upload.pl
@@ -30,6 +30,16 @@ use Modern::Perl;
 # the possibility to delete the uploaded file. If the field is empty, you
 # can upload a new file.
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     return <<"SCRIPT";
diff --git a/debian/templates/apache-shared-intranet.conf b/debian/templates/apache-shared-intranet.conf
index dbeaf0dca5..bc78833b08 100644
--- a/debian/templates/apache-shared-intranet.conf
+++ b/debian/templates/apache-shared-intranet.conf
@@ -13,7 +13,7 @@ ScriptAlias /search "/usr/share/koha/intranet/cgi-bin/catalogue/search.pl"
 
 # Protect dev package install
 RewriteEngine on
-RewriteRule ^/cgi-bin/koha/(C4|debian|etc|installer/data|install_misc|Koha|misc|selenium|t|test|tmp|xt)/|\.PL$ /notfound [PT]
+RewriteRule ^/cgi-bin/koha/(C4|debian|docs|etc|installer/data|install_misc|Koha|misc|selenium|t|test|tmp|xt)/|\.PL$ /notfound [PT]
 
 RewriteRule ^/bib/([^\/]*)/?$ /cgi-bin/koha/catalogue/detail.pl?biblionumber=$1 [PT]
 RewriteRule ^/isbn/([^\/]*)/?$ /search?q=isbn:$1 [PT]
diff --git a/installer/data/mysql/db_revs/221115001.pl b/installer/data/mysql/db_revs/221115001.pl
new file mode 100755
index 0000000000..5fd40ecb2d
--- /dev/null
+++ b/installer/data/mysql/db_revs/221115001.pl
@@ -0,0 +1,27 @@
+use Modern::Perl;
+
+return {
+    bug_number  => "36244",
+    description => "Template Toolkit syntax not escaped in letter templates",
+    up          => sub {
+        my ($args) = @_;
+        my ( $dbh, $out ) = @$args{qw(dbh out)};
+
+        my $query = q{SELECT * FROM letter WHERE content LIKE "[|%%SET%<<%|%]" ESCAPE '|'};
+        my $sth   = $dbh->prepare($query);
+        $sth->execute();
+        if ( $sth->rows ) {
+            say $out "You have one or more templates that have been affected by bug 36244.";
+            say $out "These templates assign template toolkit variables values";
+            say $out "using the double arrows syntax. E.g. [% SET name = '<<branches.branchname>>' %]";
+            say $out
+                "This will no longer function correctly as Template Toolkit is now rendered before the double arrow syntax.";
+            say $out "The following notices will need to be updated:";
+
+            while ( my $row = $sth->fetchrow_hashref() ) {
+                say $out
+                    "ID: $row->{id} / MODULE: $row->{module} / CODE: $row->{code} / BRANCHCODE: $row->{branchcode} / NAME: $row->{name}";
+            }
+        }
+    },
+};
diff --git a/installer/data/mysql/db_revs/221116000.pl b/installer/data/mysql/db_revs/221116000.pl
new file mode 100755
index 0000000000..6896a11353
--- /dev/null
+++ b/installer/data/mysql/db_revs/221116000.pl
@@ -0,0 +1,7 @@
+use Modern::Perl;
+
+return {
+    bug_number  => undef,
+    description => 'Koha 22.11.16 release',
+    up          => sub { },
+}
diff --git a/installer/externalmodules.pl b/installer/externalmodules.pl
deleted file mode 100755
index f836ccf023..0000000000
--- a/installer/externalmodules.pl
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/usr/bin/perl
-
-# This Script can be used to provide a list of ALL external modules ***used*** (uncommented) in Koha.
-# It provides you not only the list of modules BUT ALSO the files that uses those modules.
-# utf8 or warnings or other lib use are not taken into account at the moment.
-
-use Modern::Perl;
-use C4::Context;
-
-my $dir=C4::Context->config('intranetdir');
-qx(grep -r "^ *use" $dir | grep -v "C4\|strict\|vars" >/tmp/modulesKoha.log);
-$dir=C4::Context->config('opacdir');
-qx(grep -r "^ *use" $dir | grep -v "C4\|strict\|vars" >>/tmp/modulesKoha.log);
-
-open my $fh, '<', '/tmp/modulesKoha.log' ||die "unable to open file /tmp/modulesKoha.log";
-my %modulehash;
-while (my $line=<$fh>){
-  if ( $line=~m#(.*)\:\s*use\s+([A-Z][^\s;]+)# ){
-    my ($file,$module)=($1,$2);
-    my @filename = split /\//, $file;
-    push @{$modulehash{$module}},$filename[scalar(@filename) - 1];
-  }
-}
-print "external modules used in Koha ARE :\n";
-map {print "* $_ \t in files ",join (",",@{$modulehash{$_}}),"\n" } sort keys %modulehash;
-close $fh;
-unlink "/tmp/modulesKoha.log";
diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/reports-menu.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/reports-menu.inc
index 3727737311..212313086a 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/reports-menu.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/reports-menu.inc
@@ -52,7 +52,7 @@
         <ul>
             <li><a href="/cgi-bin/koha/reports/itemslost.pl">Lost items</a></li>
             <li><a href="/cgi-bin/koha/reports/orders_by_fund.pl">Orders by fund</a></li>
-            <li><a href="/cgi-bin/koha/reports/manager.pl?report_name=itemtypes">Catalog by item type</a></li>
+            <li><a href="/cgi-bin/koha/reports/catalog_by_itemtype.pl">Catalog by item type</a></li>
             <li><a href="/cgi-bin/koha/reports/issues_avg_stats.pl">Average loan time</a></li>
         </ul>
     </div>
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
index e87cb438c4..9ef3ebe7e0 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
@@ -219,7 +219,9 @@
     <script>
         $(document).ready( function() {
             if ( document.location.hash ) {
-                $( '#loginform' ).append( '<input name="auth_forwarded_hash" type="hidden" value="' + document.location.hash + '"/>' );
+                const input = $('<input name="auth_forwarded_hash" type="hidden">')
+                input.val(document.location.hash);
+                $( '#loginform' ).append( input );
             }
             // Clear last borrowers, rememberd sql reports, carts, etc.
             logOut();
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/itemtypes.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/itemtypes.tt
index 4cbcac58ec..df8c430781 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/itemtypes.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/itemtypes.tt
@@ -22,7 +22,7 @@
         [% END %]
         [% IF ( do_it ) %]
             [% WRAPPER breadcrumb_item %]
-                <a href="/cgi-bin/koha/reports/manager.pl?report_name=itemtypes">Catalog by item type</a>
+                <a href="/cgi-bin/koha/reports/catalog_by_itemtype.pl">Catalog by item type</a>
             [% END %]
             [% WRAPPER breadcrumb_item bc_active= 1 %]
                 <span>Results</span>
@@ -69,7 +69,7 @@
 [% END %]
 [% ELSE %]
         <h1>View a count of items held at your library grouped by item type</h1>
-        <form method="post" action="/cgi-bin/koha/reports/manager.pl?report_name=itemtypes">
+        <form method="post" action="/cgi-bin/koha/reports/catalog_by_itemtype.pl">
           <fieldset class="rows">
             <ol>
               <li>
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/reports-home.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/reports-home.tt
index 2108e2c0b4..99c15aa758 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/reports-home.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/reports-home.tt
@@ -87,7 +87,7 @@
         <ul>
             <li><a href="/cgi-bin/koha/reports/itemslost.pl">Items lost</a></li>
             <li><a href="/cgi-bin/koha/reports/orders_by_fund.pl">Orders by fund</a></li>
-            <li><a href="/cgi-bin/koha/reports/manager.pl?report_name=itemtypes">Catalog by item type</a></li>
+            <li><a href="/cgi-bin/koha/reports/catalog_by_itemtype.pl">Catalog by item type</a></li>
             <li><a href="/cgi-bin/koha/reports/issues_avg_stats.pl">Average loan time</a></li>
             [% SET koha_version = Koha.Version %]
             [% IF koha_version.development %]
diff --git a/labels/label-create-csv.pl b/labels/label-create-csv.pl
index 8c06a41a0b..80c662e85a 100755
--- a/labels/label-create-csv.pl
+++ b/labels/label-create-csv.pl
@@ -26,6 +26,12 @@ use Text::CSV_XS;
 use C4::Labels;
 
 my $cgi = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $cgi->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $cgi->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
 
 my $batch_id;
 my @label_ids;
diff --git a/labels/label-create-xml.pl b/labels/label-create-xml.pl
index 3962cfb502..a3bec34ec0 100755
--- a/labels/label-create-xml.pl
+++ b/labels/label-create-xml.pl
@@ -26,6 +26,12 @@ use XML::Simple;
 use C4::Labels;
 
 my $cgi = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $cgi->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $cgi->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
 
 my $batch_id;
 my @label_ids;
diff --git a/koha_perl_deps.pl b/misc/devel/koha_perl_deps.pl
similarity index 100%
rename from koha_perl_deps.pl
rename to misc/devel/koha_perl_deps.pl
diff --git a/misc/release_notes/release_notes_22_11_16.html b/misc/release_notes/release_notes_22_11_16.html
new file mode 100644
index 0000000000..a1578f3ad2
--- /dev/null
+++ b/misc/release_notes/release_notes_22_11_16.html
@@ -0,0 +1,304 @@
+<h1 id="releasenotesforkoha22.11.16">RELEASE NOTES FOR KOHA 22.11.16</h1>
+
+<p>25 Mar 2024</p>
+
+<p>Koha is the first free and open source software library automation
+package (ILS). Development is sponsored by libraries of varying types
+and sizes, volunteers, and support companies from around the world. The
+website for the Koha project is:</p>
+
+<ul>
+<li><a href="http://koha-community.org">Koha Community</a></li>
+</ul>
+
+<p>Koha 22.11.16 can be downloaded from:</p>
+
+<ul>
+<li><a href="http://download.koha-community.org/koha-22.11.16.tar.gz">Download</a></li>
+</ul>
+
+<p>Installation instructions can be found at:</p>
+
+<ul>
+<li><a href="http://wiki.koha-community.org/wiki/Installation_Documentation">Koha Wiki</a></li>
+<li>OR in the INSTALL files that come in the tarball</li>
+</ul>
+
+<p>Koha 22.11.16 is a bugfix/maintenance release with security fixes.</p>
+
+<p>It includes 3 bugfixes.</p>
+
+<p><strong>System requirements</strong></p>
+
+<p>You can learn about the system components (like OS and database) needed for running Koha on the <a href="https://wiki.koha-community.org/wiki/System_requirements_and_recommendations">community wiki</a>.</p>
+
+<h2 id="bugfixes">Bugfixes</h2>
+
+<h3 id="architectureinternalsandplumbing">Architecture, internals, and plumbing</h3>
+
+<h4 id="otherbugsfixed">Other bugs fixed</h4>
+
+<ul>
+<li><a href="http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36176">36176</a> [23.11 and below] We need tests to check for 'cud-' operations in stable branches (pre-24.05)</li>
+</ul>
+
+<h3 id="opac">OPAC</h3>
+
+<h4 id="otherbugsfixed">Other bugs fixed</h4>
+
+<ul>
+<li><a href="http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35942">35942</a> OPAC user can enroll several times to the same club</li>
+</ul>
+
+<h3 id="reports">Reports</h3>
+
+<h4 id="criticalbugsfixed">Critical bugs fixed</h4>
+
+<ul>
+<li><a href="http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31988">31988</a> manager.pl is only user for "Catalog by item type" report</li>
+</ul>
+
+<h2 id="documentation">Documentation</h2>
+
+<p>The Koha manual is maintained in Sphinx. The home page for Koha
+documentation is</p>
+
+<ul>
+<li><p><a href="http://koha-community.org/documentation/">Koha Documentation</a>
+As of the date of these release notes, the Koha manual is available in the following languages:</p></li>
+<li><p><a href="https://koha-community.org/manual/22.11//html/">Chinese (Traditional)</a> (63%)</p></li>
+<li><a href="https://koha-community.org/manual/22.11//html/">English</a> (100%)</li>
+<li><a href="https://koha-community.org/manual/22.11/en/html/">English (USA)</a></li>
+<li><a href="https://koha-community.org/manual/22.11/fr/html/">French</a> (41%)</li>
+<li><a href="https://koha-community.org/manual/22.11/de/html/">German</a> (40%)</li>
+<li><a href="https://koha-community.org/manual/22.11/hi/html/">Hindi</a> (75%)</li>
+</ul>
+
+<p>The Git repository for the Koha manual can be found at</p>
+
+<ul>
+<li><a href="https://gitlab.com/koha-community/koha-manual">Koha Git Repository</a></li>
+</ul>
+
+<h2 id="translations">Translations</h2>
+
+<p>Complete or near-complete translations of the OPAC and staff
+interface are available in this release for the following languages:</p>
+
+<div style="column-count: 2;">
+
+- Arabic (ar_ARAB) (75%)
+- Armenian (hy_ARMN) (100%)
+- Bulgarian (bg_CYRL) (100%)
+- Chinese (Traditional) (81%)
+- Czech (71%)
+- Dutch (88%)
+- English (100%)
+- English (New Zealand) (69%)
+- English (USA)
+- English (United Kingdom) (99%)
+- Finnish (96%)
+- French (99%)
+- French (Canada) (96%)
+- German (100%)
+- German (Switzerland) (56%)
+- Greek (57%)
+- Hindi (100%)
+- Italian (92%)
+- Norwegian Bokmål (69%)
+- Persian (fa_ARAB) (75%)
+- Polish (99%)
+- Portuguese (Brazil) (99%)
+- Portuguese (Portugal) (88%)
+- Russian (94%)
+- Slovak (67%)
+- Spanish (100%)
+- Swedish (88%)
+- Telugu (77%)
+- Turkish (88%)
+- Ukrainian (79%)
+- hyw_ARMN (generated) (hyw_ARMN) (70%)
+</div>
+
+<p>Partial translations are available for various other languages.</p>
+
+<p>The Koha team welcomes additional translations; please see</p>
+
+<ul>
+<li><a href="http://wiki.koha-community.org/wiki/Translating_Koha">Koha Translation Info</a></li>
+</ul>
+
+<p>For information about translating Koha, and join the koha-translate 
+list to volunteer:</p>
+
+<ul>
+<li><a href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-translate">Koha Translate List</a></li>
+</ul>
+
+<p>The most up-to-date translations can be found at:</p>
+
+<ul>
+<li><a href="http://translate.koha-community.org/">Koha Translation</a></li>
+</ul>
+
+<h2 id="releaseteam">Release Team</h2>
+
+<p>The release team for Koha 22.11.16 is</p>
+
+<ul>
+<li><p>Release Manager: Katrin Fischer</p></li>
+<li><p>Release Manager assistants:</p>
+
+<ul>
+<li>Tomás Cohen Arazi</li>
+<li>Martin Renvoize</li>
+<li>Jonathan Druart</li>
+</ul></li>
+<li><p>QA Manager: Marcel de Rooy</p></li>
+<li><p>QA Team:</p>
+
+<ul>
+<li>Marcel de Rooy</li>
+<li>Julian Maurice</li>
+<li>Lucas Gass</li>
+<li>Victor Grousset</li>
+<li>Kyle M Hall</li>
+<li>Nick Clemens</li>
+<li>Martin Renvoize</li>
+<li>Tomás Cohen Arazi</li>
+<li>Aleisha Amohia</li>
+<li>Emily Lamancusa</li>
+<li>David Cook</li>
+<li>Jonathan Druart</li>
+<li>Pedor Amorim</li>
+</ul></li>
+<li><p>Topic Experts:</p>
+
+<ul>
+<li>UI Design -- Owen Leonard</li>
+<li>Zebra -- Fridolin Somers</li>
+<li>REST API -- Tomás Cohen Arazi</li>
+<li>ERM -- Matt Blenkinsop</li>
+<li>ILL -- Pedro Amorim</li>
+<li>SIP2 -- Matthias Meusburger</li>
+<li>CAS -- Matthias Meusburger</li>
+</ul></li>
+<li><p>Bug Wranglers:</p>
+
+<ul>
+<li>Aleisha Amohia</li>
+<li>Indranil Das Gupta</li>
+</ul></li>
+<li><p>Packaging Managers:</p>
+
+<ul>
+<li>Mason James</li>
+<li>Indranil Das Gupta</li>
+<li>Tomás Cohen Arazi</li>
+</ul></li>
+<li><p>Documentation Manager: Aude Charillon</p></li>
+<li><p>Documentation Team:</p>
+
+<ul>
+<li>Caroline Cyr La Rose</li>
+<li>Kelly McElligott</li>
+<li>Philip Orr</li>
+<li>Marie-Luce Laflamme</li>
+<li>Lucy Vaux-Harvey</li>
+</ul></li>
+<li><p>Translation Manager: Jonathan Druart</p></li>
+<li><p>Wiki curators: </p>
+
+<ul>
+<li>Thomas Dukleth</li>
+<li>Katrin Fischer</li>
+</ul></li>
+<li><p>Release Maintainers:</p>
+
+<ul>
+<li>23.11 -- Fridolin Somers</li>
+<li>23.05 -- Lucas Gass</li>
+<li>22.11 -- Frédéric Demians</li>
+<li>22.05 -- Danyon Sewell</li>
+</ul></li>
+<li><p>Release Maintainer assistants:</p>
+
+<ul>
+<li>22.05 -- Wainui Witika-Park</li>
+</ul></li>
+</ul>
+
+<h2 id="credits">Credits</h2>
+
+<p>We thank the following individuals who contributed patches to Koha 22.11.16</p>
+
+<div style="column-count: 2;">
+
+- Frédéric Demians (3)
+- Jonathan Druart (9)
+- Kyle M Hall (3)
+- Andreas Jonsson (2)
+- Julian Maurice (1)
+- Fridolin Somers (1)
+</div>
+
+<p>We thank the following libraries, companies, and other institutions who contributed
+patches to Koha 22.11.16</p>
+
+<div style="column-count: 2;">
+
+- BibLibre (2)
+- ByWater-Solutions (3)
+- Koha Community Developers (9)
+- Kreablo AB (2)
+- Tamil (3)
+</div>
+
+<p>We also especially thank the following individuals who tested patches
+for Koha</p>
+
+<div style="column-count: 2;">
+
+- Nick Clemens (1)
+- Frédéric Demians (15)
+- Jonathan Druart (4)
+- Katrin Fischer (4)
+- Lucas Gass (3)
+- Victor Grousset (1)
+- Kyle M Hall (2)
+- Andrew Fuerste Henry (1)
+- Owen Leonard (1)
+- David Nind (1)
+- Martin Renvoize (11)
+- Marcel de Rooy (3)
+- Fridolin Somers (12)
+</div>
+
+<p>We regret any omissions.  If a contributor has been inadvertently missed,
+please send a patch against these release notes to koha-devel@lists.koha-community.org.</p>
+
+<h2 id="revisioncontrolnotes">Revision control notes</h2>
+
+<p>The Koha project uses Git for version control.  The current development
+version of Koha can be retrieved by checking out the master branch of:</p>
+
+<ul>
+<li><a href="https://git.koha-community.org/koha-community/koha">Koha Git Repository</a></li>
+</ul>
+
+<p>The branch for this version of Koha and future bugfixes in this release
+line is 22.11.x-security.</p>
+
+<h2 id="bugsandfeaturerequests">Bugs and feature requests</h2>
+
+<p>Bug reports and feature requests can be filed at the Koha bug
+tracker at:</p>
+
+<ul>
+<li><a href="http://bugs.koha-community.org">Koha Bugzilla</a></li>
+</ul>
+
+<p>He rau ringa e oti ai.
+(Many hands finish the work)</p>
+
+<p>Autogenerated release notes updated last on 25 Mar 2024 10:56:35.</p>
diff --git a/misc/release_notes/release_notes_22_11_16.md b/misc/release_notes/release_notes_22_11_16.md
new file mode 100644
index 0000000000..669c88abeb
--- /dev/null
+++ b/misc/release_notes/release_notes_22_11_16.md
@@ -0,0 +1,266 @@
+# RELEASE NOTES FOR KOHA 22.11.16
+25 Mar 2024
+
+Koha is the first free and open source software library automation
+package (ILS). Development is sponsored by libraries of varying types
+and sizes, volunteers, and support companies from around the world. The
+website for the Koha project is:
+
+- [Koha Community](http://koha-community.org)
+
+Koha 22.11.16 can be downloaded from:
+
+- [Download](http://download.koha-community.org/koha-22.11.16.tar.gz)
+
+Installation instructions can be found at:
+
+- [Koha Wiki](http://wiki.koha-community.org/wiki/Installation_Documentation)
+- OR in the INSTALL files that come in the tarball
+
+Koha 22.11.16 is a bugfix/maintenance release with security fixes.
+
+It includes 3 bugfixes.
+
+**System requirements**
+
+You can learn about the system components (like OS and database) needed for running Koha on the [community wiki](https://wiki.koha-community.org/wiki/System_requirements_and_recommendations).
+
+
+## Bugfixes
+
+### Architecture, internals, and plumbing
+
+#### Other bugs fixed
+
+- [36176](http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36176) [23.11 and below] We need tests to check for 'cud-' operations in stable branches (pre-24.05)
+
+### OPAC
+
+#### Other bugs fixed
+
+- [35942](http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35942) OPAC user can enroll several times to the same club
+
+### Reports
+
+#### Critical bugs fixed
+
+- [31988](http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31988) manager.pl is only user for "Catalog by item type" report
+
+## Documentation
+
+The Koha manual is maintained in Sphinx. The home page for Koha
+documentation is
+
+- [Koha Documentation](http://koha-community.org/documentation/)
+As of the date of these release notes, the Koha manual is available in the following languages:
+
+- [Chinese (Traditional)](https://koha-community.org/manual/22.11//html/) (63%)
+- [English](https://koha-community.org/manual/22.11//html/) (100%)
+- [English (USA)](https://koha-community.org/manual/22.11/en/html/)
+- [French](https://koha-community.org/manual/22.11/fr/html/) (41%)
+- [German](https://koha-community.org/manual/22.11/de/html/) (40%)
+- [Hindi](https://koha-community.org/manual/22.11/hi/html/) (75%)
+
+The Git repository for the Koha manual can be found at
+
+- [Koha Git Repository](https://gitlab.com/koha-community/koha-manual)
+
+## Translations
+
+Complete or near-complete translations of the OPAC and staff
+interface are available in this release for the following languages:
+<div style="column-count: 2;">
+
+- Arabic (ar_ARAB) (75%)
+- Armenian (hy_ARMN) (100%)
+- Bulgarian (bg_CYRL) (100%)
+- Chinese (Traditional) (81%)
+- Czech (71%)
+- Dutch (88%)
+- English (100%)
+- English (New Zealand) (69%)
+- English (USA)
+- English (United Kingdom) (99%)
+- Finnish (96%)
+- French (99%)
+- French (Canada) (96%)
+- German (100%)
+- German (Switzerland) (56%)
+- Greek (57%)
+- Hindi (100%)
+- Italian (92%)
+- Norwegian Bokmål (69%)
+- Persian (fa_ARAB) (75%)
+- Polish (99%)
+- Portuguese (Brazil) (99%)
+- Portuguese (Portugal) (88%)
+- Russian (94%)
+- Slovak (67%)
+- Spanish (100%)
+- Swedish (88%)
+- Telugu (77%)
+- Turkish (88%)
+- Ukrainian (79%)
+- hyw_ARMN (generated) (hyw_ARMN) (70%)
+</div>
+
+Partial translations are available for various other languages.
+
+The Koha team welcomes additional translations; please see
+
+- [Koha Translation Info](http://wiki.koha-community.org/wiki/Translating_Koha)
+
+For information about translating Koha, and join the koha-translate 
+list to volunteer:
+
+- [Koha Translate List](http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-translate)
+
+The most up-to-date translations can be found at:
+
+- [Koha Translation](http://translate.koha-community.org/)
+
+## Release Team
+
+The release team for Koha 22.11.16 is
+
+
+- Release Manager: Katrin Fischer
+
+- Release Manager assistants:
+  - Tomás Cohen Arazi
+  - Martin Renvoize
+  - Jonathan Druart
+
+- QA Manager: Marcel de Rooy
+
+- QA Team:
+  - Marcel de Rooy
+  - Julian Maurice
+  - Lucas Gass
+  - Victor Grousset
+  - Kyle M Hall
+  - Nick Clemens
+  - Martin Renvoize
+  - Tomás Cohen Arazi
+  - Aleisha Amohia
+  - Emily Lamancusa
+  - David Cook
+  - Jonathan Druart
+  - Pedor Amorim
+
+- Topic Experts:
+  - UI Design -- Owen Leonard
+  - Zebra -- Fridolin Somers
+  - REST API -- Tomás Cohen Arazi
+  - ERM -- Matt Blenkinsop
+  - ILL -- Pedro Amorim
+  - SIP2 -- Matthias Meusburger
+  - CAS -- Matthias Meusburger
+
+- Bug Wranglers:
+  - Aleisha Amohia
+  - Indranil Das Gupta
+
+- Packaging Managers:
+  - Mason James
+  - Indranil Das Gupta
+  - Tomás Cohen Arazi
+
+- Documentation Manager: Aude Charillon
+
+- Documentation Team:
+  - Caroline Cyr La Rose
+  - Kelly McElligott
+  - Philip Orr
+  - Marie-Luce Laflamme
+  - Lucy Vaux-Harvey
+
+- Translation Manager: Jonathan Druart
+
+
+- Wiki curators: 
+  - Thomas Dukleth
+  - Katrin Fischer
+
+- Release Maintainers:
+  - 23.11 -- Fridolin Somers
+  - 23.05 -- Lucas Gass
+  - 22.11 -- Frédéric Demians
+  - 22.05 -- Danyon Sewell
+
+- Release Maintainer assistants:
+  - 22.05 -- Wainui Witika-Park
+
+## Credits
+
+
+
+We thank the following individuals who contributed patches to Koha 22.11.16
+<div style="column-count: 2;">
+
+- Frédéric Demians (3)
+- Jonathan Druart (9)
+- Kyle M Hall (3)
+- Andreas Jonsson (2)
+- Julian Maurice (1)
+- Fridolin Somers (1)
+</div>
+
+We thank the following libraries, companies, and other institutions who contributed
+patches to Koha 22.11.16
+<div style="column-count: 2;">
+
+- BibLibre (2)
+- ByWater-Solutions (3)
+- Koha Community Developers (9)
+- Kreablo AB (2)
+- Tamil (3)
+</div>
+
+We also especially thank the following individuals who tested patches
+for Koha
+<div style="column-count: 2;">
+
+- Nick Clemens (1)
+- Frédéric Demians (15)
+- Jonathan Druart (4)
+- Katrin Fischer (4)
+- Lucas Gass (3)
+- Victor Grousset (1)
+- Kyle M Hall (2)
+- Andrew Fuerste Henry (1)
+- Owen Leonard (1)
+- David Nind (1)
+- Martin Renvoize (11)
+- Marcel de Rooy (3)
+- Fridolin Somers (12)
+</div>
+
+
+
+
+
+We regret any omissions.  If a contributor has been inadvertently missed,
+please send a patch against these release notes to koha-devel@lists.koha-community.org.
+
+## Revision control notes
+
+The Koha project uses Git for version control.  The current development
+version of Koha can be retrieved by checking out the master branch of:
+
+- [Koha Git Repository](https://git.koha-community.org/koha-community/koha)
+
+The branch for this version of Koha and future bugfixes in this release
+line is 22.11.x-security.
+
+## Bugs and feature requests
+
+Bug reports and feature requests can be filed at the Koha bug
+tracker at:
+
+- [Koha Bugzilla](http://bugs.koha-community.org)
+
+He rau ringa e oti ai.
+(Many hands finish the work)
+
+Autogenerated release notes updated last on 25 Mar 2024 10:56:35.
diff --git a/reports/catalog_by_itemtype.pl b/reports/catalog_by_itemtype.pl
new file mode 100755
index 0000000000..fcaf5f17ef
--- /dev/null
+++ b/reports/catalog_by_itemtype.pl
@@ -0,0 +1,99 @@
+#!/usr/bin/perl
+
+# Copyright 2000-2002 Katipo Communications
+#
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# Koha is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Koha; if not, see <http://www.gnu.org/licenses>.
+
+use Modern::Perl;
+use C4::Auth qw( get_template_and_user );
+use CGI qw ( -utf8 );
+use C4::Context;
+use C4::Output qw( output_html_with_http_headers );
+
+my $input          = CGI->new;
+my $report_name    = $input->param("report_name");
+my $do_it          = $input->param('do_it');
+my $fullreportname = "reports/itemtypes.tt";
+my @values         = $input->multi_param("value");
+my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
+    {
+        template_name => $fullreportname,
+        query         => $input,
+        type          => "intranet",
+        flagsrequired => { reports => '*' },
+    }
+);
+$template->param(
+    do_it => $do_it,
+);
+if ($do_it) {
+    my $results = calculate( \@values );
+    $template->param( mainloop => $results );
+}
+output_html_with_http_headers $input, $cookie, $template->output;
+
+sub calculate {
+    my ($parameters) = @_;
+    my @results      = ();
+    my $branch       = @$parameters[0];
+    my $dbh          = C4::Context->dbh;
+    my $sth;
+    if ( C4::Context->preference('item-level_itypes') ) {
+        $sth = $dbh->prepare(
+            q|
+            SELECT itemtypes.itemtype, description, COUNT(*) AS total
+            FROM itemtypes, items
+            WHERE items.itype=itemtypes.itemtype
+            | . ( $branch ? q| AND items.holdingbranch=? | : () ) . q|
+            GROUP BY itemtypes.itemtype, description, items.itype
+            ORDER BY itemtypes.description
+        |
+        );
+    } else {
+        $sth = $dbh->prepare(
+            q|
+            SELECT itemtypes.itemtype, description, COUNT(*) AS total
+            FROM itemtypes, biblioitems, items
+            WHERE biblioitems.itemtype=itemtypes.itemtype
+            AND items.biblioitemnumber=biblioitems.biblioitemnumber
+            | . ( $branch ? q| AND items.holdingbranch=? | : () ) . q|
+            GROUP BY itemtypes.itemtype, description
+            ORDER BY itemtypes.description
+        |
+        );
+    }
+    $sth->execute( $branch || () );
+    my ( $itemtype, $description, $total );
+    my $grantotal = 0;
+    my $count     = 0;
+    while ( ( $itemtype, $description, $total ) = $sth->fetchrow ) {
+        my %line;
+        $line{itemtype} = $itemtype;
+        $line{count}    = $total;
+        $grantotal += $total;
+        push @results, \%line;
+        $count++;
+    }
+    my @mainloop;
+    my %globalline;
+    $globalline{loopitemtype} = \@results;
+    $globalline{total}        = $grantotal;
+    $globalline{branch}       = $branch;
+    push @mainloop, \%globalline;
+    return \@mainloop;
+}
+
+1;
diff --git a/reports/itemtypes.plugin b/reports/itemtypes.plugin
deleted file mode 100755
index ec2c535182..0000000000
--- a/reports/itemtypes.plugin
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/usr/bin/perl
-
-
-# Copyright 2000-2002 Katipo Communications
-#
-# This file is part of Koha.
-#
-# Koha is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# Koha is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Koha; if not, see <http://www.gnu.org/licenses>.
-
-use strict;
-use C4::Auth;
-use CGI qw ( -utf8 );
-use C4::Context;
-use C4::Search;
-use C4::Output;
-use C4::Koha;
-=head1
-
-=cut
-
-sub set_parameters {
-    my ($template) = @_;
-    return $template;
-}
-
-sub calculate {
-	my ($parameters) = @_;
-	my @results =();
-	my $branch = @$parameters[0];
-	my $dbh = C4::Context->dbh;
-	my $sth;
-    if ( C4::Context->preference('item-level_itypes') ) {
-        $sth = $dbh->prepare( q|
-            SELECT itemtypes.itemtype, description, COUNT(*) AS total
-            FROM itemtypes, items
-            WHERE items.itype=itemtypes.itemtype
-            | . ( $branch ? q| AND items.holdingbranch=? | : () ) . q|
-            GROUP BY itemtypes.itemtype, description, items.itype
-            ORDER BY itemtypes.description
-        |);
-    }
-    else {
-        $sth = $dbh->prepare( q|
-            SELECT itemtypes.itemtype, description, COUNT(*) AS total
-            FROM itemtypes, biblioitems, items
-            WHERE biblioitems.itemtype=itemtypes.itemtype
-            AND items.biblioitemnumber=biblioitems.biblioitemnumber
-            | . ( $branch ? q| AND items.holdingbranch=? | : () ) . q|
-            GROUP BY itemtypes.itemtype, description
-            ORDER BY itemtypes.description
-        |);
-    }
-    $sth->execute($branch || ());
-    my ($itemtype, $description,$total);
-	my $grantotal = 0;
-	my $count = 0;
-    while (($itemtype, $description,$total) = $sth->fetchrow) {
-		my %line;
-        $line{itemtype} = $itemtype;
-		$line{count} = $total;
-		$grantotal += $total;
-		push @results,\%line;
-		$count ++;
-	}
-	my @mainloop;
-	my %globalline;
-	$globalline{loopitemtype} = \@results;
-	$globalline{total} = $grantotal;
-	$globalline{branch} = $branch;
-	push @mainloop,\%globalline;
-	return \@mainloop;
-}
-
-1;
diff --git a/reports/manager.pl b/reports/manager.pl
deleted file mode 100755
index ff174f00d3..0000000000
--- a/reports/manager.pl
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/usr/bin/perl
-
-# Copyright 2000-2002 Katipo Communications
-#
-# This file is part of Koha.
-#
-# Koha is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# Koha is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Koha; if not, see <http://www.gnu.org/licenses>.
-
-use Modern::Perl;
-use CGI qw ( -utf8 );
-use C4::Auth qw( get_template_and_user );
-use C4::Context;
-use C4::Output qw( output_html_with_http_headers );
-
-
-my $input = CGI->new;
-my $report_name=$input->param("report_name");
-my $do_it=$input->param('do_it');
-my $fullreportname = "reports/".$report_name.".tt";
-my @values = $input->multi_param("value");
-my ($template, $borrowernumber, $cookie)
-	= get_template_and_user({template_name => $fullreportname,
-				query => $input,
-				type => "intranet",
-				flagsrequired => {reports => '*'},
-				});
-$template->param(do_it => $do_it,
-		report_name => $report_name,
-		);
-my $cgidir = C4::Context->config('intranetdir')."/cgi-bin/reports/";
-unless (-r $cgidir and -d $cgidir) {
-    $cgidir = C4::Context->config('intranetdir')."/reports/";
-} 
-my $plugin = $cgidir.$report_name.".plugin";
-require $plugin;
-if ($do_it) {
-	my $results = calculate(\@values);
-	$template->param(mainloop => $results);
-} else {
-	$template = set_parameters($template);
-}
-output_html_with_http_headers $input, $cookie, $template->output;
diff --git a/serials/lateissues-export.pl b/serials/lateissues-export.pl
index af83f2c6f6..f82b9f1e18 100755
--- a/serials/lateissues-export.pl
+++ b/serials/lateissues-export.pl
@@ -27,6 +27,13 @@ use Koha::CsvProfiles;
 use Text::CSV_XS;
 
 my $query = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $query->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $query->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $supplierid = $query->param('supplierid');
 my @serialids = $query->multi_param('serialid');
 my $op = $query->param('op') || q{};
diff --git a/t/db_dependent/FrameworkPlugin.t b/t/db_dependent/FrameworkPlugin.t
index 41baf49153..c3031ac22f 100755
--- a/t/db_dependent/FrameworkPlugin.t
+++ b/t/db_dependent/FrameworkPlugin.t
@@ -144,6 +144,7 @@ sub test05 {
     my $mOutput = Test::MockModule->new('C4::Output');
     $mContext->mock( 'userenv', \&mock_userenv );
     $mAuth->mock( 'checkauth', sub { return ( 1, undef, 1, all_perms() ); } );
+    $mAuth->mock( 'check_cookie_auth', sub { return ('ok') } );
     $mOutput->mock('output_html_with_http_headers',  sub { ++$launched; } );
 
     my $cgi=CGI->new;
diff --git a/t/db_dependent/Koha/UI/Form/Builder/Biblio.t b/t/db_dependent/Koha/UI/Form/Builder/Biblio.t
index cdf93c4880..ed5d582ef0 100755
--- a/t/db_dependent/Koha/UI/Form/Builder/Biblio.t
+++ b/t/db_dependent/Koha/UI/Form/Builder/Biblio.t
@@ -18,6 +18,7 @@
 use Modern::Perl;
 
 use Test::More tests => 7;
+use Test::MockModule;
 
 use C4::ClassSource;
 
@@ -26,6 +27,10 @@ use Koha::DateUtils qw( dt_from_string );
 use Koha::ItemTypes;
 use Koha::Libraries;
 
+# Auth required for cataloguing plugins
+my $mAuth = Test::MockModule->new('C4::Auth');
+$mAuth->mock( 'check_cookie_auth', sub { return ('ok') } );
+
 my $schema = Koha::Database->new->schema;
 $schema->storage->txn_begin;
 
diff --git a/t/db_dependent/Koha/UI/Form/Builder/Item.t b/t/db_dependent/Koha/UI/Form/Builder/Item.t
index dedbb31775..de82c7741c 100755
--- a/t/db_dependent/Koha/UI/Form/Builder/Item.t
+++ b/t/db_dependent/Koha/UI/Form/Builder/Item.t
@@ -17,6 +17,7 @@
 
 use Modern::Perl;
 use Test::More tests => 9;
+use Test::MockModule;
 use Data::Dumper qw( Dumper );
 use utf8;
 
@@ -28,6 +29,10 @@ use Koha::UI::Form::Builder::Item;
 use t::lib::TestBuilder;
 use t::lib::Mocks;
 
+# Auth required for cataloguing plugins
+my $mAuth = Test::MockModule->new('C4::Auth');
+$mAuth->mock( 'check_cookie_auth', sub { return ('ok') } );
+
 my $schema = Koha::Database->new->schema;
 $schema->storage->txn_begin;
 
diff --git a/t/db_dependent/Letters.t b/t/db_dependent/Letters.t
index 84f09a82f9..5115d4a895 100755
--- a/t/db_dependent/Letters.t
+++ b/t/db_dependent/Letters.t
@@ -18,7 +18,7 @@
 # along with Koha; if not, see <http://www.gnu.org/licenses>.
 
 use Modern::Perl;
-use Test::More tests => 92;
+use Test::More tests => 93;
 use Test::MockModule;
 use Test::Warn;
 use Test::Exception;
@@ -1099,3 +1099,48 @@ subtest 'Test message_id parameter for SendQueuedMessages' => sub {
     is( $message_1->{status}, 'failed', 'Message 1 status is unchanged' );
     is( $message_2->{status}, 'sent', 'Valid from_address => status sent' );
 };
+
+subtest 'Template toolkit syntax in parameters' => sub {
+
+    my $borrowernumber = Koha::Patron->new(
+        {
+            firstname      => 'Robert',
+            surname        => '[% USE Categories %][% Categories.all().search_related("borrowers").count() %]',
+            categorycode   => $patron_category,
+            branchcode     => $library->{branchcode},
+            dateofbirth    => $date,
+            smsalertnumber => undef,
+        }
+    )->store->borrowernumber;
+
+    my $title   = q|<<branches.branchname>> - <<status>>|;
+    my $content = q{Dear <<borrowers.firstname>> <<borrowers.surname>>};
+
+    $dbh->do(
+        q|INSERT INTO letter(branchcode,module,code,name,is_html,title,content,message_transport_type) VALUES (?,'my module','tt test','my name',1,?,?,'email')|,
+        undef, $library->{branchcode}, $title, $content
+    );
+
+    my $tables = {
+        borrowers => $borrowernumber,
+        branches  => $library->{branchcode},
+        biblio    => $biblionumber,
+    };
+    my $substitute = {
+        status => 'overdue',
+    };
+    my $prepared_letter = GetPreparedLetter(
+        module      => 'my module',
+        branchcode  => $library->{branchcode},
+        letter_code => 'tt test',
+        tables      => $tables,
+        substitute  => $substitute,
+        repeat      => [],
+    );
+
+    is(
+        $prepared_letter->{content},
+        'Dear Robert [% USE Categories %][% Categories.all().search_related("borrowers").count() %]',
+        'Template toolkit syntax in parameter was not evaluated.'
+    );
+};
diff --git a/t/db_dependent/Serials.t b/t/db_dependent/Serials.t
index eb432dc914..37c16a5c96 100755
--- a/t/db_dependent/Serials.t
+++ b/t/db_dependent/Serials.t
@@ -16,12 +16,17 @@ use Koha::DateUtils qw( dt_from_string output_pref );
 use Koha::Acquisition::Booksellers;
 use t::lib::Mocks;
 use t::lib::TestBuilder;
+use Test::MockModule;
 use Test::More tests => 52;
 
 BEGIN {
     use_ok('C4::Serials', qw( updateClaim NewSubscription GetSubscription GetSubscriptionHistoryFromSubscriptionId SearchSubscriptions ModSubscription GetExpirationDate GetSerials GetSerialInformation NewIssue AddItem2Serial DelSubscription GetFullSubscription PrepareSerialsData GetSubscriptionsFromBiblionumber ModSubscriptionHistory GetSerials2 GetLatestSerials GetNextSeq GetSeq CountSubscriptionFromBiblionumber ModSerialStatus findSerialsByStatus HasSubscriptionStrictlyExpired HasSubscriptionExpired GetLateOrMissingIssues check_routing addroutingmember GetNextDate ));
 }
 
+# Auth required for cataloguing plugins
+my $mAuth = Test::MockModule->new('C4::Auth');
+$mAuth->mock( 'check_cookie_auth', sub { return ('ok') } );
+
 my $schema = Koha::Database->new->schema;
 $schema->storage->txn_begin;
 my $dbh = C4::Context->dbh;
diff --git a/xt/find-cud.t b/xt/find-cud.t
new file mode 100755
index 0000000000..67721bf1e8
--- /dev/null
+++ b/xt/find-cud.t
@@ -0,0 +1,26 @@
+#!/usr/bin/perl
+
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# Koha is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Koha; if not, see <http://www.gnu.org/licenses>.
+
+use Modern::Perl;
+use Test::More tests => 1;
+use Data::Dumper;
+
+my @files = `git grep 'cud-' ':(exclude)xt/find-cud.t' ':(exclude)misc/release_notes/*'`;
+chomp for @files;
+
+is( @files, 0, "This branch is not supposed to have 'cud-', see bug 34478." )
+    or diag( Dumper \@files );
diff --git a/xt/find-missing-auth_checks.t b/xt/find-missing-auth_checks.t
new file mode 100755
index 0000000000..a1a5c0d594
--- /dev/null
+++ b/xt/find-missing-auth_checks.t
@@ -0,0 +1,42 @@
+#!/usr/bin/perl
+
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# Koha is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Koha; if not, see <http://www.gnu.org/licenses>.
+
+use Modern::Perl;
+use Test::More;
+
+use File::Slurp qw(read_file);
+
+my @excluded_paths =
+    qw(C4 debian docs etc installer/data install_misc Koha misc selenium t test tmp xt changelanguage.pl build-resources.PL fix-perl-path.PL koha_perl_deps.pl );
+push @excluded_paths, 'opac';    # We cannot test the OPAC scripts, some can be accessed without authentication
+
+my $grep_cmd = q{git grep -l '#!/usr/bin/perl' -- } . join( ' ', map { qq{':!$_'} } @excluded_paths );
+my @files    = `$grep_cmd`;
+
+my @missing_auth_check;
+FILE: foreach my $file (@files) {
+    chomp $file;
+    my @lines = read_file($file);
+    for my $line (@lines) {
+        for my $routine (qw( get_template_and_user check_cookie_auth checkauth check_api_auth C4::Service->init )) {
+            next FILE if $line =~ m|^[^#]*$routine|;
+        }
+    }
+    push @missing_auth_check, $file;
+}
+is( scalar @missing_auth_check, 0 ) or diag "No auth check in the following files:\n" . join "\n", @missing_auth_check;
+done_testing;