MEDIUM
Koha Community
CVE published 2026-06-13
CVE-2026-6428
CVE-2026-6428 is a SQL injection vulnerability in Koha Community Koha through various versions. An authenticated staff user with the Reports module flag can use the Filter URL parameter in reports/catalogue_out.pl to read arbitrary data from the Koha application database when the Criteria parameter matches /branchcode/. The vulnerability is due to the vulnerable sink in sub calculate concatenating the unm [truncated]