Description
SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/.



The vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters:



my $f = @$filters[0];
$f =~ s/\*/%/g;
$strsth2 .= " AND $column LIKE '$f' ";



This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions.



Proof of concept (error-based, single request):



GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+-
Cookie: CGISESSID=<LIBRARIAN_SESSION>



The response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...).



The vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.
Published: 2026-06-13
Score: 5.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL injection flaw in Koha’s reports/catalogue_out.pl allows an authenticated staff member with Reports module privileges to inject a malicious LIKE clause via the Filter URL parameter when the Criteria field is set to branchcode. This flaw permits an attacker to read any table in the Koha database, including sensitive borrower details, password hashes, two‑factor secrets, API keys, and session data. The vulnerability is identified as CWE‑89 and is limited to data exfiltration, not arbitrary code execution.

Affected Systems

The issue exists in Koha Community Edition versions 22.11.37 and earlier, all 23.x releases, every 24.x release prior to 24.11.16, every 25.05.x prior to 25.05.11, every 25.11.x prior to 25.11.05, every 26.05.x prior to 26.05.01, and every 26.11.x prior to 26.11.00. All affected builds are maintained by the Koha Community and are distributed under the Koha project.

Risk and Exploitability

With a CVSS score of 5.6 the flaw is considered medium severity; the EPSS metric is not available, and it is not listed in the CISA KEV catalog. An attacker who is authenticated and has the Reports flag can launch an error‑based SQL injection by sending a crafted request such as the example in the advisory. The exploitation does not require elevated privilege beyond the staff account, but once the flaw is abused any database table can be read, exposing highly sensitive data. Because the vulnerability is only exploitable by users who already have access to the reports interface, immediate patching is the most effective mitigation.

Generated by OpenCVE AI on June 13, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the patched Koha Community Edition version: 22.11.38 or any newer release that contains the fixed reports/catalogue_out.pl file (e.g., 24.11.16, 25.05.11, 25.11.05, 26.05.01, 26.11.00).
  • For systems unable to upgrade immediately, revoke the Reports module flag from all staff accounts or restrict the reports interface to network segments that are fully trusted.
  • As a temporary control, block external access to the /cgi-bin/koha/reports/catalogue_out.pl URL using firewall or web‑application firewall rules until the software is updated.

Generated by OpenCVE AI on June 13, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title SQL Injection via Filter Parameter in Koha Reports Module
First Time appeared Koha-community
Koha-community koha
Vendors & Products Koha-community
Koha-community koha

Sat, 13 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/. The vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters: my $f = @$filters[0]; $f =~ s/\*/%/g; $strsth2 .= " AND $column LIKE '$f' "; This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions. Proof of concept (error-based, single request): GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+- Cookie: CGISESSID=<LIBRARIAN_SESSION> The response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...). The vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.
Weaknesses CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:S/C:C/I:N/A:P'}

cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

cvssV4_0

{'score': 5.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/V:C/U:Amber'}

Subscriptions

Koha-community Koha
cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-13T16:35:56.718Z

Reserved: 2026-04-16T12:58:10.800Z

Link: CVE-2026-6428

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-13T17:16:17.190

Modified: 2026-06-13T17:16:17.190

Link: CVE-2026-6428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T18:30:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')