This vulnerability is an SQL Injection (CWE-89) in the reports/catalogue_out.pl script of Koha Community Koha. Authenticated staff users with the Reports module flag can exploit the Filter URL parameter when Criteria equals 'branchcode' to inject SQL code due to direct concatenation of unescaped input into a LIKE clause. This enables error-based SQL injection techniques, allowing reading of sensitive database tables such as borrowers (including password hashes and 2FA secrets), borrower_password_recovery, api_keys, and sessions. The flaw was introduced in 2008 and was not addressed by a prior patch (CVE-2015-4633) which fixed similar code elsewhere. The issue was fixed by replacing raw SQL concatenation with parameterized placeholders in Koha versions 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00.

An authenticated staff user with Reports module access can exploit this vulnerability to perform error-based SQL injection, allowing them to read arbitrary sensitive data from the Koha application database. This includes access to borrower information such as password hashes, two-factor authentication secrets, personally identifiable information, password recovery data, API keys, and session information. The vulnerability does not allow unauthenticated access but compromises confidentiality of sensitive data within the application database.

Fixed versions are available: Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 include the patch replacing unsafe SQL concatenation with parameterized queries. Users should upgrade to these versions or later to remediate this vulnerability. No official vendor advisory content was provided, so patch status is inferred from the description. Patch status is confirmed by the presence of fixed versions. No additional mitigations are indicated.