Description
The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database.
Published: 2026-04-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Immediate Patch
AI Analysis

Impact

The Koha Library Send Basket feature in versions prior to 23.05.10 allows a remote attacker to perform a time‑based SQL injection against the POST parameter bib_list. This flaw, a classic CWE‑89 vulnerability, lets the attacker extract arbitrary data from the underlying database, compromising confidentiality of user and library information.

Affected Systems

The vulnerability affects the Koha open‑source library management system produced by the Koha community. Any deployment running Koha 23.05 or earlier, specifically before the 23.05.10 release, is susceptible. No other version numbers are listed in the advisory.

Risk and Exploitability

The CVSS base score is 9.8, indicating critical severity, though the EPSS indicates a very low likelihood of exploitation (under 1%) and it is not listed in the CISA KEV catalog. The likely attack vector is a crafted HTTP POST request to /cgi-bin/koha/opac-sendbasket.pl that a user can trigger from the web interface; the attacker does not need prior authentication but must be a library user to submit the form. Once exploited, data disclosure can occur, potentially exposing sensitive patron or catalog data.

Generated by OpenCVE AI on April 10, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Koha 23.05.10 upgrade or later to eliminate the unsanitized bib_list parameter.
  • Verify the upgrade by testing the Send Basket function to confirm the vulnerability is fixed.
  • If an upgrade is not immediately possible, restrict access to the Send Basket feature or disable it until the patch is applied.
  • Review and monitor web application logs for unusual SQL queries or delays that may indicate exploitation attempts.

Generated by OpenCVE AI on April 10, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Time‑Based SQL Injection in Koha Send Basket Exposes Database

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title Time‑Based SQL Injection in Koha Library's Send Basket Functionality
Weaknesses CWE-20

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Time‑Based SQL Injection in Koha Library's Send Basket Functionality
First Time appeared Koha-community
Koha-community koha
Weaknesses CWE-20
CWE-89
Vendors & Products Koha-community
Koha-community koha

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database.
References

Subscriptions

Koha-community Koha
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T13:56:09.608Z

Reserved: 2024-05-19T00:00:00.000Z

Link: CVE-2024-36058

cve-icon Vulnrichment

Updated: 2026-04-09T13:56:00.622Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T17:16:25.050

Modified: 2026-04-09T14:16:24.777

Link: CVE-2024-36058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:27:23Z

Weaknesses