[Bug 42361] [CVE-2026-6428] SQL Injection in reports/catalogue_out.pl via Filter parameter (error-based, triggered when Criteria matches /branchcode/)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42361 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|SQL Injection in |[CVE-2026-6428] SQL |reports/catalogue_out.pl |Injection in |via Filter parameter |reports/catalogue_out.pl |(error-based, triggered |via Filter parameter |when Criteria matches |(error-based, triggered |/branchcode/) |when Criteria matches | |/branchcode/) --- Comment #28 from David Cook <dcook@prosentient.com.au> --- (In reply to Sanjarbiy from comment #27)
CVE-2026-6428 has been assigned and published for this issue via TuranSecurity (a CVE Numbering Authority). Public record: https://www.cve.org/CVERecord?id=CVE-2026-6428 . Thanks to David and Jonathan for the fix and review.
Thanks, Sanjar, for reporting the issue and respecting our process. I recognise the name Turan Security. We've had other reports from employees/former employees from there. Very happy to keep working with you on the issues you report. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org