Koha up to 26.05.0 Reports reports/catalogue_out.pl strsth2 sql injection

Summaryinfo

A vulnerability marked as critical has been reported in Koha up to 26.05.0. This affects an unknown function of the file reports/catalogue_out.pl of the component Reports Module. The manipulation of the argument strsth2 leads to sql injection. This vulnerability is traded as CVE-2026-6428. It is possible to initiate the attack remotely. There is no exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, has been found in Koha up to 26.05.0. This issue affects an unknown code of the file reports/catalogue_out.pl of the component Reports Module. The manipulation of the argument strsth2 with an unknown input leads to a sql injection vulnerability. Using CWE to declare the problem leads to CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/. The vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters: my $f = @$filters[0]; $f =~ s/\*/%/g; $strsth2 .= " AND $column LIKE '$f' "; This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions. Proof of concept (error-based, single request): GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+- Cookie: CGISESSID= The response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...). The vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.

The weakness was shared by Sanjar Tulkinov. The advisory is shared at bugs.koha-community.org. The identification of this vulnerability is CVE-2026-6428 since 04/16/2026. The exploitation is known to be easy. The attack may be initiated remotely. A simple authentication is needed for exploitation. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1505 for this issue.

Upgrading to version 22.11.38, 24.11.16, 25.05.11, 25.11.05 or 26.05.01 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-36652). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Name

• Koha

Version

• 22.11.0
• 22.11.1
• 22.11.2
• 22.11.3
• 22.11.4
• 22.11.5
• 22.11.6
• 22.11.7
• 22.11.8
• 22.11.9
• 22.11.10
• 22.11.11
• 22.11.12
• 22.11.13
• 22.11.14
• 22.11.15
• 22.11.16
• 22.11.17
• 22.11.18
• 22.11.19
• 22.11.20
• 22.11.21
• 22.11.22
• 22.11.23
• 22.11.24
• 22.11.25
• 22.11.26
• 22.11.27
• 22.11.28
• 22.11.29
• 22.11.30
• 22.11.31
• 22.11.32
• 22.11.33
• 22.11.34
• 22.11.35
• 22.11.36
• 22.11.37
• 23.11.0
• 23.11.1
• 23.11.2
• 23.11.3
• 23.11.4
• 23.11.5
• 23.11.6
• 23.11.7
• 23.11.8
• 23.11.9
• 23.11.10
• 23.11.11
• 23.11.12
• 23.11.13
• 23.11.14
• 23.11.15
• 24.11.0
• 24.11.1
• 24.11.2
• 24.11.3
• 24.11.4
• 24.11.5
• 24.11.6
• 24.11.7
• 24.11.8
• 24.11.9
• 24.11.10
• 24.11.11
• 24.11.12
• 24.11.13
• 24.11.14
• 24.11.15
• 25.05.0
• 25.05.1
• 25.05.2
• 25.05.3
• 25.05.4
• 25.05.5
• 25.05.6
• 25.05.7
• 25.05.8
• 25.05.9
• 25.05.10
• 25.11.0
• 25.11.1
• 25.11.2
• 25.11.3
• 25.11.4
• 26.05

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion