Koha · Koha · CVE-2026-31844
**Name of the Vulnerable Software and Affected Versions**
Koha (affected versions not specified)
**Description**
An authenticated SQL Injection issue exists in the Koha staff interface. The issue is located in the `/cgi-bin/koha/suggestion/suggestion.pl` endpoint, specifically due to insufficient validation of the `displayby` parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries through crafted requests to this parameter. Exploitation may lead to the execution of unintended SQL statements and the disclosure of sensitive database information, potentially resulting in full compromise of the backend database and modification of stored data.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.