CVE-2026-31844
Published: 11 March 2026
Summary
CVE-2026-31844 is a high-severity SQL Injection (CWE-89) vulnerability in Koha Koha. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-31844 is an authenticated SQL injection vulnerability (CWE-89) in the Koha staff interface, specifically the /cgi-bin/koha/suggestion/suggestion.pl endpoint. The flaw stems from improper validation of the displayby parameter used by the GetDistinctValues functionality, enabling injection of arbitrary SQL queries. It affects Koha, an open-source library management system, and was published on 2026-03-11 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A low-privileged staff user with access to the Koha staff interface can exploit this vulnerability by sending crafted requests to the displayby parameter. Successful exploitation allows execution of unintended SQL statements, potentially exposing sensitive database information and leading to full compromise of the backend database, including disclosure or modification of stored data.
Koha community advisories detail the issue in bug report 41593 and a security-focused post from December 2025, with mitigation available in the Koha 25.11.01 release. Security practitioners should upgrade to this patched version and review access controls for staff interface endpoints.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11109
Vulnerability details
An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries via crafted…
more
requests to this parameter, allowing execution of unintended SQL statements and exposure of sensitive database information. Successful exploitation may lead to full compromise of the backend database, including disclosure or modification of stored data.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated SQL injection in network-accessible web staff interface (AV:N) directly enables T1190 by allowing crafted displayby parameter to execute arbitrary SQL, exposing/modifying backend data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause by requiring validation of user inputs like the displayby parameter to block SQL injection in the Koha staff interface.
Mandates timely identification, reporting, and patching of flaws such as this SQL injection vulnerability fixed in Koha 25.11.01.
Requires vulnerability scanning that would identify SQL injection flaws in endpoints like /cgi-bin/koha/suggestion/suggestion.pl.