CVE-2026-31844

An authenticated SQL Injection vulnerability CWE-89 exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL...

EUVD-2025-7619

Malicious code in bioql PyPI...

CVE-2025-30076

Koha before 24.11.02 allows admins to execute arbitrary commands via shell metacharacters in the tools/scheduler.pl report parameter...

CVE-2025-22954

GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter...

CVE-2025-22954

GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter...

CVE-2024-28739

An issue in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via a crafted script to the format parameter...

Koha SQL Injection Vulnerability

Koha is a Koha organization's system for automated library management and site building. A security vulnerability exists in Koha Library Software version 23.0.5.04 and earlier that could allow a remote attacker to obtain sensitive information via Intranet/cgi bin/cataloging/ysearch.pl...