SQL Injection Vulnerability in Koha by LibLime
CVE-2026-31844

8.7HIGH

Key Information:

Vendor

Koha Community

Status
Koha
Vendor
CVE Published:
11 March 2026

What is CVE-2026-31844?

An authenticated SQL Injection vulnerability exists within the 'displayby' parameter in the /cgi-bin/koha/suggestion/suggestion.pl script of LibLime's Koha. This flaw permits low-privileged staff users to execute arbitrary SQL queries, leading to unauthorized access to sensitive data within the database. Proper input validation and robust security measures are crucial to mitigate such risks.

Affected Version(s)

Koha Linux 24.11.0 < 24.11.12

Koha Linux 25.05.0 < 25.05.07

Koha Linux 25.11.0 < 25.11.01

References

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id...
issue-tracking
https://koha-community.gitlab.io/KohaAdvent/2025-12-09-se...
vendor-advisory
https://koha-community.org/koha-25-11-01-released/
release-notes

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Raximov Shukrulloh (Monthra)
.