Description
An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries via crafted requests to this parameter, allowing execution of unintended SQL statements and exposure of sensitive database information. Successful exploitation may lead to full compromise of the backend database, including disclosure or modification of stored data.
Published: 2026-03-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Database compromise via SQL injection
Action: Quick patch
AI Analysis

Impact

An authenticated SQL Injection (CWE-89) exists in the Koha staff interface endpoint /cgi-bin/koha/suggestion/suggestion.pl, specifically in the displayby parameter used by GetDistinctValues. A low‑privileged staff user can inject arbitrary SQL statements, allowing execution of unintended queries and exposure or modification of sensitive data. Successful exploitation can result in full compromise of the backend database, potentially allowing an attacker to read, alter, or delete stored information.

Affected Systems

The vulnerability affects Koha Community:Koha installations that expose the /cgi-bin/koha/suggestion/suggestion.pl endpoint for staff use. No specific version range is listed in the CNA data; however, the referenced bug fixes and the 25‑11‑01 release suggest that older or unpatched versions are vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, whereas the EPSS score of less than 1% points to low current exploit probability. The vulnerability is not listed in the CISA KEV catalog. The vulnerability requires authentication with staff credentials, and a low‑privileged staff role is sufficient to carry out the injection. The attack vector is therefore mediated through the authenticated staff interface, with no need for network‑level access beyond normal Koha staff login.

Generated by OpenCVE AI on March 17, 2026 at 16:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Koha release (see references for 25.11.01) which includes the SQL injection fix.
  • Verify that the displayby parameter is now properly validated and that no anonymous or low‑privileged staff actions can supply unfiltered input.
  • Restrict staff accounts to the minimum necessary privileges and disable or tightly control the staff suggestion interface for users that do not require it.
  • Monitor database logs and Koha access logs for suspicious SQL queries or abnormal usage patterns.

Generated by OpenCVE AI on March 17, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Koha-community
Koha-community koha
Vendors & Products Koha-community
Koha-community koha

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 07:45:00 +0000

Type Values Removed Values Added
Description An authenticated SQL Injection vulnerability (CWE-89) in the displayby parameter of /cgi-bin/koha/suggestion/suggestion.pl in Koha allows a low-privileged staff user to execute arbitrary SQL queries and retrieve sensitive database information. An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries via crafted requests to this parameter, allowing execution of unintended SQL statements and exposure of sensitive database information. Successful exploitation may lead to full compromise of the backend database, including disclosure or modification of stored data.
References

Wed, 11 Mar 2026 07:00:00 +0000

Type Values Removed Values Added
Description An authenticated SQL Injection vulnerability (CWE-89) in the displayby parameter of /cgi-bin/koha/suggestion/suggestion.pl in Koha allows a low-privileged staff user to execute arbitrary SQL queries and retrieve sensitive database information.
Title Authenticated SQL Injection in Koha displayby parameter of suggestion.pl
Weaknesses CWE-89
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Koha-community Koha
cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-03-11T14:02:52.043Z

Reserved: 2026-03-09T18:20:23.398Z

Link: CVE-2026-31844

cve-icon Vulnrichment

Updated: 2026-03-11T14:02:48.515Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T07:16:43.900

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-31844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:42Z

Weaknesses