CVE-2026-31844
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries via crafted requests to this parameter, allowing execution of unintended SQL statements and exposure of sensitive database information. Successful exploitation may lead to full compromise of the backend database, including disclosure or modification of stored data.
Analysis
SQL injection in the Koha library management system's staff interface allows authenticated users to manipulate the displayby parameter in suggestion.pl, enabling arbitrary SQL query execution against the backend database. Low-privileged staff members can exploit this vulnerability to extract sensitive data or modify database contents without additional privileges. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit logs for suspicious activity on the /cgi-bin/koha/suggestion/suggestion.pl endpoint and restrict access to authorized staff only. Within 7 days: Implement WAF rules to block malicious SQL patterns in the displayby parameter and consider disabling the suggestion feature if not critical to operations. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today