CVE-2026-6428 Koha Community CVE debrief

Who should care

Users of Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 should apply the patches to prevent SQL injection attacks.

Technical summary

The vulnerable code is in the sub calculate function where it concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters. This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions.

Defensive priority

High

Recommended defensive actions

• Apply patches: Upgrade to Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, or 26.11.00.
• Restrict access to the Reports module to only trusted staff users.
• Monitor for suspicious activity on the Koha application.

Evidence notes

The vulnerability was introduced in commit 6bb77ae3e4 (2008-07-09) and was fixed by replacing the raw concatenation with a parameterised placeholder.

Official resources