{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6428", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "PUBLISHED", "assignerShortName": "TuranSec", "dateReserved": "2026-04-16T12:58:10.800Z", "datePublished": "2026-06-13T16:34:10.326Z", "dateUpdated": "2026-06-13T16:35:56.718Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-06-13T16:35:56.718Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "An authenticated staff user holding the Reports module permission can inject arbitrary SQL into the auxiliary $strsth2 statement built inside sub calculate when $tablename eq 'branches'. Because the statement is sent to DBI without bound parameters, the attacker can read any row and column accessible to the Koha application database user, including the borrowers table (password hashes, two-factor authentication secrets, personally identifiable information), borrower_password_recovery, api_keys, sessions, and all circulation data. Error-based exfiltration is single-request (EXTRACTVALUE) and exposed through the DBI exception surfaced by the Reports CGI; time-based extraction and denial of service against the database remain possible even after the related information-disclosure issue (Koha bug 42366) is patched."}]}], "affected": [{"vendor": "Koha Community", "product": "Koha", "collectionURL": "https://koha-community.org/", "repo": "https://gitlab.com/koha-community/Koha", "programFiles": ["reports/catalogue_out.pl"], "versions": [{"status": "affected", "version": "0", "lessThan": "22.11.38", "versionType": "semver"}, {"status": "affected", "version": "23.05.00", "lessThanOrEqual": "23.11.15", "versionType": "semver"}, {"status": "affected", "version": "24.05.00", "lessThan": "24.11.16", "versionType": "semver"}, {"status": "affected", "version": "25.05.00", "lessThan": "25.05.11", "versionType": "semver"}, {"status": "affected", "version": "25.11.00", "lessThan": "25.11.05", "versionType": "semver"}, {"status": "affected", "version": "26.05.00", "lessThan": "26.05.01", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/.\n\n\n\nThe vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters:\n\n\n\nmy $f = @$filters[0];\n$f =~ s/\\*/%/g;\n$strsth2 .= \" AND $column LIKE '$f' \";\n\n\n\nThis enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions.\n\n\n\nProof of concept (error-based, single request):\n\n\n\nGET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+-\nCookie: CGISESSID=<LIBRARIAN_SESSION>\n\n\n\nThe response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...).\n\n\n\nThe vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p><b>SQL Injection in <code>reports/catalogue_out.pl</code> in Koha Community Koha</b> through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the <i>Reports</i> module flag to read arbitrary data from the Koha application database via the <code>Filter</code> URL parameter when the <code>Criteria</code> parameter matches <code>/branchcode/</code>.</p><p>The vulnerable sink in <code>sub calculate</code> concatenates the unmodified <code>Filter</code> request parameter directly into a <code>LIKE</code> clause of the auxiliary <code>$strsth2</code> statement and executes it via DBI without bound parameters:</p><pre>my $f = @$filters[0];\n$f =~ s/\\*/%/g;\n$strsth2 .= \" AND $column LIKE '$f' \";</pre><p>This enables error-based SQL injection (e.g., via <code>EXTRACTVALUE</code>) and full read access to sensitive tables including <code>borrowers</code> (password hashes, 2FA secrets, PII), <code>borrower_password_recovery</code>, <code>api_keys</code>, and <code>sessions</code>.</p><p><b>Proof of concept (error-based, single request):</b></p><pre>GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&amp;output=screen&amp;Limit=10&amp;Criteria=branchcode&amp;Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+-\nCookie: CGISESSID=&lt;LIBRARIAN_SESSION&gt;</pre><p>The response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using <code>LIMIT n,1</code> / <code>SUBSTRING(...)</code>.</p><p>The vulnerable sink was introduced in commit <code>6bb77ae3e4</code> (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to <code>reports/catalogue_out.pl</code>. <b>Fixed in</b> Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.</p>"}]}], "references": [{"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42361", "name": "Koha Bug 42361 - SQL Injection in reports/catalogue_out.pl via Filter parameter", "tags": ["issue-tracking", "vendor-advisory"]}, {"url": "https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=199539", "name": "Bug 42361: Fix SQL injection in catalogue_out.pl (official patch)", "tags": ["patch", "vendor-advisory"]}, {"url": "https://koha-community.org/security-releases/", "name": "Koha Community Security Releases", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "An authenticated staff user holding the Reports module flag sends a crafted GET request to /cgi-bin/koha/reports/catalogue_out.pl with Criteria=branchcode and a malicious Filter parameter to read arbitrary data from the Koha application database."}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "NOT_DEFINED", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/V:C/U:Amber"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "HIGH", "baseScore": 7.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV2_0": {"version": "2.0", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:S/C:C/I:N/A:P"}}], "credits": [{"lang": "en", "value": "Sanjar Tulkinov (Sanjarbiy)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}, "x_author": "Sanjar Tulkinov (Sanjarbiy)"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/.\n\n\n\nThe vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters:\n\n\n\nmy $f = @$filters[0];\n$f =~ s/\\*/%/g;\n$strsth2 .= \" AND $column LIKE '$f' \";\n\n\n\nThis enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions.\n\n\n\nProof of concept (error-based, single request):\n\n\n\nGET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+-\nCookie: CGISESSID=<LIBRARIAN_SESSION>\n\n\n\nThe response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...).\n\n\n\nThe vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder."}], "id": "CVE-2026-6428", "lastModified": "2026-06-13T17:16:17.190", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 7.8, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:C/RE:X/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}, "published": "2026-06-13T17:16:17.190", "references": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=199539"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42361"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://koha-community.org/security-releases/"}], "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,22.11.38)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[23.05.00,23.11.15]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[24.05.00,24.11.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.05.00,25.05.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.11.00,25.11.05)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[26.05.00,26.05.01)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Koha", "source": "cna", "vendor": "Koha Community"}, "product": "koha", "vendor": "koha-community"}], "created": "2026-06-13T18:30:05.596458+00:00", "title": "SQL Injection via Filter Parameter in Koha Reports Module", "updated": "2026-06-13T18:30:06.052847+00:00", "vendors": ["koha-community", "koha-community$PRODUCT$koha"]}