SQL Injection Vulnerability in Koha Community's Reporting Module
CVE-2026-6428

5.6MEDIUM

Key Information:

Vendor

Koha Community

Status
Koha
Vendor
CVE Published:
13 June 2026

What is CVE-2026-6428?

A vulnerability exists in the reporting module of Koha Community's Koha software that allows an authenticated staff user to perform SQL injection through the 'Filter' URL parameter in reports/catalogue_out.pl. This flaw permits unauthorized access to sensitive data within the application’s database, potentially exposing critical information such as password hashes, two-factor authentication secrets, and personally identifiable information (PII). The issue stems from a lack of proper parameterization in SQL queries, allowing attackers to manipulate database queries via crafted requests. A patch has been released in several versions of Koha to mitigate this risk by implementing parameterized placeholders in the affected code.

Affected Version(s)

Koha 0 < 22.11.38

Koha 23.05.00 <= 23.11.15

Koha 24.05.00 < 24.11.16

References

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id...
issue-trackingvendor-advisory
https://bugs.koha-community.org/bugzilla3/attachment.cgi?...
patchvendor-advisory
https://koha-community.org/security-releases/
vendor-advisory

CVSS V4

Score:
5.6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sanjar Tulkinov (Sanjarbiy)
.