CVE-2026-6428

Vulnerability

SQL injection vulnerability exists in the sub calculate function of reports/catalogue_out.pl in Koha Community Koha. The Filter request parameter is concatenated directly into a LIKE clause of the auxiliary $strsth2 statement without using bound parameters. The vulnerable code was introduced in commit 6bb77ae3e4 (2008-07-09). Affected versions include Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00. [1]

Exploitation

An authenticated staff user with the Reports module flag can exploit this vulnerability. The Criteria parameter must match /branchcode/. The attacker then injects SQL via the Filter parameter. A proof-of-concept uses EXTRACTVALUE for error-based injection, as shown in the GET request: GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+- with a valid librarian session cookie. The response leaks the MariaDB version, database user, client IP, and database name. [1]

Impact

Successful exploitation allows the attacker to read arbitrary data from the Koha application database. This includes sensitive tables such as borrowers (containing password hashes, two-factor authentication secrets, and personally identifiable information), borrower_password_recovery, api_keys, and sessions. The attacker can use LIMIT n,1 and SUBSTRING to extract data row by row. [1]

Mitigation

The vulnerability is fixed in Koha versions 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder. Users should upgrade to these or later versions. No workaround is documented. The issue is not listed on CISA's Known Exploited Vulnerabilities catalog. [3]