An authenticated SQL injection vulnerability in the Koha reports module could allow staff users to extract sensitive information from the underlying database.

This is a SQL injection vulnerability within the reports/catalogue_out.pl script. An authenticated staff user with the Reports module capability can manipulate the Filter URL parameter to execute arbitrary database queries.

With a CVSS score of 7.6, this vulnerability represents a significant risk of data exposure. An attacker could exfiltrate sensitive patron or library data, leading to severe privacy violations and potential regulatory non-compliance.

Immediate Action: Upgrade to the patched versions: 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, or 26.11.00.

Proactive Monitoring: Enable database query logging and review logs for suspicious or malformed queries originating from the Reports module.

Compensating Controls: Implement strict Web Application Firewall (WAF) rules to filter and sanitize input parameters in the reports/catalogue_out.pl path.

Public Exploit Available: true

The availability of a public exploit significantly elevates the risk of this vulnerability. Administrators must apply the vendor patches immediately to prevent unauthorized data access and minimize the window of exposure.