CVE-2026-6428

Published: Giu 13, 2026 Last Modified: Giu 13, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,6

Source: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

HIGH 7,6

Source: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: low

Availability: low

HIGH 7,5

Source: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Access Vector: network

Access Complexity: low

Authentication: single

Confidentiality: complete

Integrity: none

Availability: partial

Description

AI Translation Available

SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/.

The vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters:

my $f = @$filters[0];
$f =~ s/\*/%/g;
$strsth2 .= ' AND $column LIKE '$f' ';

This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions.

Proof of concept (error-based, single request):

GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+-
Cookie: CGISESSID=<LIBRARIAN_SESSION>

The response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...).

The vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.

AI Generated Translation

SQL Injection in reports/catalogue_out.pl in Koha Community Koha fino alla versione 22.11.37, 23.x, 24.x prima della 24.11.16, 25.05.x prima della 25.05.11, 25.11.x prima della 25.11.05, 26.05.x prima della 26.05.01 e 26.11.x prima della 26.11.00 consente a un utente staff autenticato con il flag del modulo Reports di leggere dati arbitrari dal database dell'applicazione Koha tramite il parametro Filter URL quando il parametro Criteria corrisponde a /branchcode/.

Il sink vulnerabile in sub calculate concatena direttamente il parametro Filter non modificato all’interno di una clausola LIKE della dichiarazione ausiliaria $strsth2 ed esegue questa query tramite DBI senza parametri legati (bound parameters):

my $f = @$filters[0];
$f =~ s/\*/%/g;
$strsth2 .= " AND $column LIKE '$f' ";

Ciò consente un'iniezione SQL basata su errore (ad esempio tramite EXTRACTVALUE) e l'accesso completo in lettura a tabelle sensibili tra cui borrowers (hash delle password, segreti 2FA, PII), borrower_password_recovery, api_keys e sessions.

Prova di concetto (basata su errore, richiesta singola):

Il corpo della risposta contiene l’eccezione di DBI che rivela la versione di MariaDB, l’utente del database, l’indirizzo IP del client e il nome del database, dopodiché è possibile estrarre dati arbitrari usando LIMIT n,1 / SUBSTRING(...).

Il sink vulnerabile è stato introdotto nel commit 6bb77ae3e4 (09/07/2008); CVE-2015-4633 ha corretto la stessa classe in file adiacenti ma non ha generalizzato la patch a reports/catalogue_out.pl. La vulnerabilità è stata corretta in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01 e 26.11.00 sostituendo la concatenazione raw con un segnaposto parametrizzato.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Stable

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability Authentication Access Control

Potential Impacts:

Execute Unauthorized Code Or Commands Read Application Data Gain Privileges Or Assume Identity Bypass Protection Mechanism Modify Application Data

Applicable Platforms

Languages: Not Language-Specific, SQL

Technologies: Database Server

Likelihood of Exploit: High

View CWE Details

https://bugs.koha-community.org/bugzilla3/attachment.cgi?id…

https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=199539

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=4…

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42361

https://koha-community.org/security-releases/

CVE-2026-6428

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter