Vulnerability-Lookup

GHSA-6CMJ-32GF-5R49

Vulnerability from github – Published: 2026-06-13 18:30 – Updated: 2026-06-13 18:30

Details

The vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters:

my $f = @$filters[0]; $f =~ s/*/%/g; $strsth2 .= " AND $column LIKE '$f' ";

This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions.

Proof of concept (error-based, single request):

GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+- Cookie: CGISESSID=

The response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...).

The vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.

Severity

7.6 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

5.6 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/V:C/U:Amber

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-6428"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-13T17:16:17Z",
    "severity": "MODERATE"
  },
  "details": "SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/.\n\n\n\nThe vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters:\n\n\n\nmy $f = @$filters[0];\n$f =~ s/\\*/%/g;\n$strsth2 .= \" AND $column LIKE \u0027$f\u0027 \";\n\n\n\nThis enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions.\n\n\n\nProof of concept (error-based, single request):\n\n\n\nGET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1\u0026output=screen\u0026Limit=10\u0026Criteria=branchcode\u0026Filter=x\u0027+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+-\nCookie: CGISESSID=\u003cLIBRARIAN_SESSION\u003e\n\n\n\nThe response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...).\n\n\n\nThe vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.",
  "id": "GHSA-6cmj-32gf-5r49",
  "modified": "2026-06-13T18:30:24Z",
  "published": "2026-06-13T18:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6428"
    },
    {
      "type": "WEB",
      "url": "https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=199539"
    },
    {
      "type": "WEB",
      "url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42361"
    },
    {
      "type": "WEB",
      "url": "https://koha-community.org/security-releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:C/RE:X/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

CVE-2026-6428 (GCVE-0-2026-6428)

Vulnerability from cvelistv5 – Published: 2026-06-13 16:34 – Updated: 2026-06-13 16:35

Summary

SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/. The vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters: my $f = @$filters[0]; $f =~ s/\*/%/g; $strsth2 .= " AND $column LIKE '$f' "; This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions. Proof of concept (error-based, single request): GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+- Cookie: CGISESSID=<LIBRARIAN_SESSION> The response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...). The vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.

Severity

5.6 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/V:C/U:Amber

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

TuranSec

References

3 references

URL	Tags
https://bugs.koha-community.org/bugzilla3/show_bu…	issue-trackingvendor-advisory
https://bugs.koha-community.org/bugzilla3/attachm…	patchvendor-advisory
https://koha-community.org/security-releases/	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Koha Community	Koha	Affected: 0 , < 22.11.38 (semver) Affected: 23.05.00 , ≤ 23.11.15 (semver) Affected: 24.05.00 , < 24.11.16 (semver) Affected: 25.05.00 , < 25.05.11 (semver) Affected: 25.11.00 , < 25.11.05 (semver) Affected: 26.05.00 , < 26.05.01 (semver)

Credits

Sanjar Tulkinov (Sanjarbiy)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "collectionURL": "https://koha-community.org/",
          "defaultStatus": "unaffected",
          "product": "Koha",
          "programFiles": [
            "reports/catalogue_out.pl"
          ],
          "repo": "https://gitlab.com/koha-community/Koha",
          "vendor": "Koha Community",
          "versions": [
            {
              "lessThan": "22.11.38",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "23.11.15",
              "status": "affected",
              "version": "23.05.00",
              "versionType": "semver"
            },
            {
              "lessThan": "24.11.16",
              "status": "affected",
              "version": "24.05.00",
              "versionType": "semver"
            },
            {
              "lessThan": "25.05.11",
              "status": "affected",
              "version": "25.05.00",
              "versionType": "semver"
            },
            {
              "lessThan": "25.11.05",
              "status": "affected",
              "version": "25.11.00",
              "versionType": "semver"
            },
            {
              "lessThan": "26.05.01",
              "status": "affected",
              "version": "26.05.00",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Sanjar Tulkinov (Sanjarbiy)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cb\u003eSQL Injection in \u003ccode\u003ereports/catalogue_out.pl\u003c/code\u003e in Koha Community Koha\u003c/b\u003e through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the \u003ci\u003eReports\u003c/i\u003e module flag to read arbitrary data from the Koha application database via the \u003ccode\u003eFilter\u003c/code\u003e URL parameter when the \u003ccode\u003eCriteria\u003c/code\u003e parameter matches \u003ccode\u003e/branchcode/\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eThe vulnerable sink in \u003ccode\u003esub calculate\u003c/code\u003e concatenates the unmodified \u003ccode\u003eFilter\u003c/code\u003e request parameter directly into a \u003ccode\u003eLIKE\u003c/code\u003e clause of the auxiliary \u003ccode\u003e$strsth2\u003c/code\u003e statement and executes it via DBI without bound parameters:\u003c/p\u003e\u003cpre\u003emy $f = @$filters[0];\n$f =~ s/\\*/%/g;\n$strsth2 .= \" AND $column LIKE \u0027$f\u0027 \";\u003c/pre\u003e\u003cp\u003eThis enables error-based SQL injection (e.g., via \u003ccode\u003eEXTRACTVALUE\u003c/code\u003e) and full read access to sensitive tables including \u003ccode\u003eborrowers\u003c/code\u003e (password hashes, 2FA secrets, PII), \u003ccode\u003eborrower_password_recovery\u003c/code\u003e, \u003ccode\u003eapi_keys\u003c/code\u003e, and \u003ccode\u003esessions\u003c/code\u003e.\u003c/p\u003e\u003cp\u003e\u003cb\u003eProof of concept (error-based, single request):\u003c/b\u003e\u003c/p\u003e\u003cpre\u003eGET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1\u0026amp;output=screen\u0026amp;Limit=10\u0026amp;Criteria=branchcode\u0026amp;Filter=x\u0027+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+-\nCookie: CGISESSID=\u0026lt;LIBRARIAN_SESSION\u0026gt;\u003c/pre\u003e\u003cp\u003eThe response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using \u003ccode\u003eLIMIT n,1\u003c/code\u003e / \u003ccode\u003eSUBSTRING(...)\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eThe vulnerable sink was introduced in commit \u003ccode\u003e6bb77ae3e4\u003c/code\u003e (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to \u003ccode\u003ereports/catalogue_out.pl\u003c/code\u003e. \u003cb\u003eFixed in\u003c/b\u003e Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.\u003c/p\u003e"
            }
          ],
          "value": "SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/.\n\n\n\nThe vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters:\n\n\n\nmy $f = @$filters[0];\n$f =~ s/\\*/%/g;\n$strsth2 .= \" AND $column LIKE \u0027$f\u0027 \";\n\n\n\nThis enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions.\n\n\n\nProof of concept (error-based, single request):\n\n\n\nGET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1\u0026output=screen\u0026Limit=10\u0026Criteria=branchcode\u0026Filter=x\u0027+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+-\nCookie: CGISESSID=\u003cLIBRARIAN_SESSION\u003e\n\n\n\nThe response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...).\n\n\n\nThe vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An authenticated staff user holding the Reports module permission can inject arbitrary SQL into the auxiliary $strsth2 statement built inside sub calculate when $tablename eq \u0027branches\u0027. Because the statement is sent to DBI without bound parameters, the attacker can read any row and column accessible to the Koha application database user, including the borrowers table (password hashes, two-factor authentication secrets, personally identifiable information), borrower_password_recovery, api_keys, sessions, and all circulation data. Error-based exfiltration is single-request (EXTRACTVALUE) and exposed through the DBI exception surfaced by the Reports CGI; time-based extraction and denial of service against the database remain possible even after the related information-disclosure issue (Koha bug 42366) is patched."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "LOW",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/V:C/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "An authenticated staff user holding the Reports module flag sends a crafted GET request to /cgi-bin/koha/reports/catalogue_out.pl with Criteria=branchcode and a malicious Filter parameter to read arbitrary data from the Koha application database."
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV2_0": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:N/A:P",
            "version": "2.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-13T16:35:56.718Z",
        "orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
        "shortName": "TuranSec"
      },
      "references": [
        {
          "name": "Koha Bug 42361 - SQL Injection in reports/catalogue_out.pl via Filter parameter",
          "tags": [
            "issue-tracking",
            "vendor-advisory"
          ],
          "url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42361"
        },
        {
          "name": "Bug 42361: Fix SQL injection in catalogue_out.pl (official patch)",
          "tags": [
            "patch",
            "vendor-advisory"
          ],
          "url": "https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=199539"
        },
        {
          "name": "Koha Community Security Releases",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://koha-community.org/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "x_author": "Sanjar Tulkinov (Sanjarbiy)",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
    "assignerShortName": "TuranSec",
    "cveId": "CVE-2026-6428",
    "datePublished": "2026-06-13T16:34:10.326Z",
    "dateReserved": "2026-04-16T12:58:10.800Z",
    "dateUpdated": "2026-06-13T16:35:56.718Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-6CMJ-32GF-5R49

CVE-2026-6428 (GCVE-0-2026-6428)

Tags

Sightings

Nomenclature