Skip to main content

Koha EUVD-2026-36652

| CVE-2026-6428 MEDIUM
SQL Injection (CWE-89)
2026-06-13 TuranSec GHSA-6cmj-32gf-5r49
SQLi Koha
5.6
CVSS 4.0 · Vendor: TuranSec
Share

Severity by source

Vendor (TuranSec) PRIMARY
5.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:C/RE:X/U:Amber
vuln.today AI
6.5 MEDIUM

Network-reachable via authenticated staff web session (PR:L); read-only SQL injection yields full confidentiality loss with no confirmed integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (TuranSec).

CVSS VectorVendor: TuranSec

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:C/RE:X/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 13, 2026 - 17:31 vuln.today

DescriptionCVE.org

SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/.

The vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters:

my $f = @$filters[0]; $f =~ s/\*/%/g; $strsth2 .= " AND $column LIKE '$f' ";

This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions.

Proof of concept (error-based, single request):

GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+- Cookie: CGISESSID=<LIBRARIAN_SESSION>

The response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...).

The vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.

AnalysisAI

SQL injection in Koha's reports/catalogue_out.pl grants authenticated staff with the Reports module flag full read access to the Koha MariaDB database, including borrower password hashes, 2FA secrets, API keys, session tokens, and patron PII. The vulnerability traces to a 2008 commit and was overlooked when CVE-2015-4633 patched the same injection class in sibling files. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain staff credentials with Reports module flag
Delivery
Authenticate and capture valid CGISESSID session cookie
Exploit
Craft GET request to reports/catalogue_out.pl with Criteria=branchcode and EXTRACTVALUE payload in Filter
Execution
Parse MariaDB DBI error response leaking DB metadata
Persist
Enumerate borrowers, api_keys, and sessions tables via LIMIT/SUBSTRING iterations
Impact
Exfiltrate password hashes, 2FA secrets, and session tokens
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Koha staff session with the Reports module flag explicitly granted (PR:L); anonymous or unprivileged patron accounts cannot reach the vulnerable endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H) scores 5.6 but likely understates operational risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained Koha staff credentials (via phishing, credential stuffing, or insider access) sends a single authenticated GET request to /cgi-bin/koha/reports/catalogue_out.pl with Criteria=branchcode and an EXTRACTVALUE payload in the Filter parameter. The MariaDB DBI exception leaks the database version, user, and schema name in the HTTP response body. …
Remediation Upgrade to a vendor-released patched version: Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, or 26.11.00, all of which replace the raw string-concatenation sink in reports/catalogue_out.pl with DBI parameterized placeholders. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-36652 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy