CVE-2026-31844 HIGH

CVE-2026-31844: Authenticated SQL Injection in Koha displayby parameter of suggestion.pl

Vendor Koha Community
Product Koha
Weakness CWE-89 · SQLi
Published March 11, 2026
Last update March 11, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries via crafted requests to this parameter, allowing execution of unintended SQL statements and exposure of sensitive database information. Successful exploitation may lead to full compromise of the backend database, including disclosure or modification of stored data.

Key dates

02Disclosure timeline

March 11, 2026 CVE published
March 11, 2026 Record updated