Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Koha Staff Interface SQL Injection Risk: Unauthorized Database Access
CVE-2026-31844
Summary
An attacker with staff access can use a malicious request to access or modify sensitive data in the Koha database. This could potentially lead to unauthorized changes to your library's catalog and user information. Update Koha to the latest version to fix this issue and prevent unauthorized access.
Original title
An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter...
Original description
An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries via crafted requests to this parameter, allowing execution of unintended SQL statements and exposure of sensitive database information. Successful exploitation may lead to full compromise of the backend database, including disclosure or modification of stored data.
nvd CVSS2.0
9.0
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-89
SQL Injection
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026