Home

Description

An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries via crafted requests to this parameter, allowing execution of unintended SQL statements and exposure of sensitive database information. Successful exploitation may lead to full compromise of the backend database, including disclosure or modification of stored data.

PUBLISHED Reserved 2026-03-09 | Published 2026-03-11 | Updated 2026-03-11 | Assigner TuranSec




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9.0AV:N/AC:L/Au:S/C:C/I:C/A:C

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

24.11.0 (semver) before 24.11.12
affected

25.05.0 (semver) before 25.05.07
affected

25.11.0 (semver) before 25.11.01
affected

Credits

Raximov Shukrulloh (Mothra) finder

References

bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 issue-tracking

koha-community.gitlab.io/KohaAdvent/2025-12-09-security-all/ vendor-advisory

koha-community.org/koha-25-11-01-released/ release-notes

cve.org (CVE-2026-31844)

nvd.nist.gov (CVE-2026-31844)

Download JSON