CVE-2026-31844

Name of the Vulnerable Software and Affected Versions Koha (affected versions not specified)

Description An authenticated SQL Injection issue exists in the Koha staff interface. The issue is located in the /cgi-bin/koha/suggestion/suggestion.pl endpoint, specifically due to insufficient validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries through crafted requests to this parameter. Exploitation may lead to the execution of unintended SQL statements and the disclosure of sensitive database information, potentially resulting in full compromise of the backend database and modification of stored data.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.