Cyber Resilience

CVE-2024-36058

Critical

Published: 07 April 2026

Published
07 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0048 37.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2024-36058 is a critical-severity SQL Injection (CWE-89) vulnerability in Koha Community (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-36058 is a time-based SQL injection vulnerability in the Send Basket functionality of Koha Library software versions prior to 23.05.10. The issue stems from inadequate sanitization of the POST parameter bib_list in the script /cgi-bin/koha/opac-sendbasket.pl, enabling attackers to manipulate database queries. Classified under CWE-89 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it poses a critical risk due to its high impact on confidentiality, integrity, and availability.

Any unauthenticated library user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting malicious payloads in the bib_list parameter, attackers can extract arbitrary data from the database through timing-based blind SQL injection techniques, potentially compromising sensitive library patron information, bibliographic records, or other backend data stores.

Koha release notes for versions 23.05.10 and 23.05.11 document the fix, recommending immediate upgrades to these or later versions to mitigate the vulnerability. A proof-of-concept is available in the associated GitHub research repository at https://github.com/hacklantic/Research/tree/main/CVE-2024-36058, highlighting the need for input validation and prepared statements in affected deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

CVE-2024-36058 is a SQL injection in a public-facing web application (Koha opac-sendbasket.pl), enabling unauthenticated remote exploitation (T1190) to extract arbitrary data from databases via time-based blind SQLi (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2019-25581Shared CWE-89
CVE-2026-27885Shared CWE-89
CVE-2019-25479Shared CWE-89
CVE-2026-1476Shared CWE-89
CVE-2019-25526Shared CWE-89
CVE-2025-69365Shared CWE-89
CVE-2019-25573Shared CWE-89

Affected Assets

Koha Community
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted inputs like the bib_list POST parameter to prevent time-based SQL injection attacks.

prevent

Mandates timely identification, reporting, and remediation of known flaws, such as upgrading Koha to version 23.05.10 or later to fix the SQL injection vulnerability.

prevent

Enforces restrictions on information inputs to limit them to expected types, formats, and content, blocking malicious SQL payloads in the bib_list parameter.

References