Cyber Resilience

CVE-2026-31844

High

Published: 11 March 2026

Published
11 March 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 35.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31844 is a high-severity SQL Injection (CWE-89) vulnerability in Koha Koha. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-31844 is an authenticated SQL injection vulnerability (CWE-89) in the Koha staff interface, specifically the /cgi-bin/koha/suggestion/suggestion.pl endpoint. The flaw stems from improper validation of the displayby parameter used by the GetDistinctValues functionality, enabling injection of arbitrary SQL queries. It affects Koha, an open-source library management system, and was published on 2026-03-11 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A low-privileged staff user with access to the Koha staff interface can exploit this vulnerability by sending crafted requests to the displayby parameter. Successful exploitation allows execution of unintended SQL statements, potentially exposing sensitive database information and leading to full compromise of the backend database, including disclosure or modification of stored data.

Koha community advisories detail the issue in bug report 41593 and a security-focused post from December 2025, with mitigation available in the Koha 25.11.01 release. Security practitioners should upgrade to this patched version and review access controls for staff interface endpoints.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries via crafted…

more

requests to this parameter, allowing execution of unintended SQL statements and exposure of sensitive database information. Successful exploitation may lead to full compromise of the backend database, including disclosure or modification of stored data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authenticated SQL injection in network-accessible web staff interface (AV:N) directly enables T1190 by allowing crafted displayby parameter to execute arbitrary SQL, exposing/modifying backend data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

koha
koha
25.11.00 · 24.11.0 — 24.11.12 · 25.05.0 — 25.05.07

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause by requiring validation of user inputs like the displayby parameter to block SQL injection in the Koha staff interface.

preventrecover

Mandates timely identification, reporting, and patching of flaws such as this SQL injection vulnerability fixed in Koha 25.11.01.

detect

Requires vulnerability scanning that would identify SQL injection flaws in endpoints like /cgi-bin/koha/suggestion/suggestion.pl.

References