CVE-2026-31844

Published: Mar 11, 2026

Modified: Mar 11, 2026

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries via crafted requests to this parameter, allowing execution of unintended SQL statements and exposure of sensitive database information. Successful exploitation may lead to full compromise of the backend database, including disclosure or modification of stored data.

Vendor	Product	Versions
Koha Community	Koha	affected `24.11.0 - < 24.11.12` affected `25.05.0 - < 25.05.07` affected `25.11.0 - < 25.11.01`

Weaknesses (CWE)

CWE-89

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593

issue-tracking

https://koha-community.gitlab.io/KohaAdvent/2025-12-09-security-all/

vendor-advisory

https://koha-community.org/koha-25-11-01-released/

release-notes

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-31844

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References