CVE-2026-6428
Received Received - Intake
SQL Injection in Koha Community Koha

Publication date: 2026-06-13

Last updated on: 2026-06-13

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/. The vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters: my $f = @$filters[0]; $f =~ s/\*/%/g; $strsth2 .= " AND $column LIKE '$f' "; This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions. Proof of concept (error-based, single request): GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+- Cookie: CGISESSID=<LIBRARIAN_SESSION> The response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...). The vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-13
Last Modified
2026-06-13
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-6428
EUVD
EUVD-2026-36652
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
koha_community koha 22.11.37
koha_community koha 23.x
koha_community koha to 24.11.16 (exc)
koha_community koha to 25.05.11 (exc)
koha_community koha to 25.11.05 (exc)
koha_community koha to 26.05.01 (exc)
koha_community koha to 26.11.00 (exc)
koha_community koha 22.11.38
koha_community koha 24.11.16
koha_community koha 25.05.11
koha_community koha 25.11.05
koha_community koha 26.05.01
koha_community koha 26.11.00
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an SQL Injection in the reports/catalogue_out.pl script of Koha Community Koha versions through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00.

An authenticated staff user with the Reports module flag can exploit this vulnerability by manipulating the Filter URL parameter when the Criteria parameter matches /branchcode/. The vulnerability arises because the Filter parameter is concatenated directly into a SQL LIKE clause without proper sanitization or use of bound parameters.

This allows error-based SQL injection attacks, enabling the attacker to read arbitrary data from the Koha application database, including sensitive tables such as borrowers (containing password hashes, 2FA secrets, and personally identifiable information), borrower_password_recovery, api_keys, and sessions.

Impact Analysis

The impact of this vulnerability is significant as it allows an authenticated staff user to read sensitive and confidential data from the Koha database.

  • Disclosure of password hashes and two-factor authentication secrets.
  • Exposure of personally identifiable information (PII) of borrowers.
  • Access to password recovery information.
  • Exposure of API keys and session data.

Such data exposure can lead to unauthorized access, identity theft, and compromise of the library system's security and user privacy.

Detection Guidance

This vulnerability can be detected by attempting to exploit the SQL injection in the reports/catalogue_out.pl script of Koha by sending a specially crafted HTTP GET request that includes the Filter parameter with SQL injection payloads.

For example, a proof of concept request to detect the vulnerability is:

  • GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+-

If the response body contains a DBI exception revealing database version, user, or other information, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade Koha to a fixed version where the vulnerability is patched.

  • Upgrade to Koha versions 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, or 26.11.00 or later, which replace the vulnerable raw SQL concatenation with parameterised placeholders.

Until an upgrade can be applied, restrict access to the Reports module to trusted authenticated staff users only, as the vulnerability requires authenticated access with the Reports module flag.

Compliance Impact

The SQL Injection vulnerability in Koha allows an authenticated staff user to read arbitrary data from the application database, including sensitive information such as password hashes, 2FA secrets, personally identifiable information (PII), API keys, and session data.

This exposure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access.

By enabling unauthorized reading of sensitive data, the vulnerability increases the risk of data breaches, which can result in legal and regulatory consequences under these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6428. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart