CVE-2026-31844 is an authenticated SQL Injection vulnerability classified under CWE-89, found in the Koha Community's Koha library management system. The vulnerability resides in the displayby parameter of the suggestion.pl CGI script, which fails to properly neutralize special elements in SQL commands. This improper sanitization allows a low-privileged staff user to inject arbitrary SQL queries into the backend database. Since the vulnerability is exploitable remotely over the network without user interaction and requires only low-level privileges, it enables attackers to retrieve sensitive information, manipulate data integrity, or potentially disrupt availability. The affected versions include 24.11.0, 25.05.0, and 25.11.0. The CVSS v4.0 score is 8.7 (high), reflecting the vulnerability's ease of exploitation (low attack complexity), lack of required authentication beyond low privilege, and high impact on confidentiality, integrity, and availability. No public exploit code has been reported yet, but the vulnerability's characteristics make it a critical risk for organizations relying on Koha for library management. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies.

The impact of CVE-2026-31844 is significant for organizations using Koha, particularly libraries, educational institutions, and other entities managing large volumes of sensitive patron and bibliographic data. Exploitation can lead to unauthorized disclosure of sensitive information such as user records, borrowing histories, and internal system data. Attackers could also alter or delete database records, undermining data integrity and potentially disrupting library operations. Given the vulnerability requires only low-privileged authenticated access, insider threats or compromised low-level accounts pose a serious risk. The ability to execute arbitrary SQL commands could also facilitate further lateral movement or privilege escalation within the affected environment. Overall, this vulnerability threatens confidentiality, integrity, and availability of critical library management systems worldwide.

To mitigate CVE-2026-31844, organizations should immediately restrict access to the affected suggestion.pl CGI endpoint to trusted staff only and monitor for unusual database query patterns indicative of SQL injection attempts. Implement strict input validation and sanitization on the displayby parameter, ideally by applying parameterized queries or prepared statements in the application code. Until an official patch is released, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting the vulnerable parameter. Conduct thorough audits of user privileges to ensure minimal necessary access is granted to staff accounts. Additionally, enable detailed logging and alerting on database query anomalies to detect exploitation attempts early. Organizations should stay informed on Koha Community updates and apply official patches promptly once available.