Description

An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries via crafted requests to this parameter, allowing execution of unintended SQL statements and exposure of sensitive database information. Successful exploitation may lead to full compromise of the backend database, including disclosure or modification of stored data.

INFO

Published Date :

2026-03-11T06:34:14.869Z

Last Modified :

2026-03-11T14:02:52.043Z

Source :

TuranSec
AFFECTED PRODUCTS

The following products are affected by CVE-2026-31844 vulnerability.

Vendors Products
Koha
  • Koha
Koha-community
  • Koha
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31844.

URL Resource
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 cve-icon cve-icon
https://koha-community.gitlab.io/KohaAdvent/2025-12-09-security-all/ cve-icon cve-icon
https://koha-community.org/koha-25-11-01-released/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Access Vector
Access Complexity
Authentication
Confidentiality Impact
Integrity Impact
Availability Impact