What is Canada Revenue Agency - Agence du revenu du Canada's cybersecurity risk score?

Canada Revenue Agency - Agence du revenu du Canada has an AI-generated cybersecurity risk score of 786 out of 1000, indicating a Fair security posture according to Rankiteo's assessment.

How many security incidents has Canada Revenue Agency - Agence du revenu du Canada experienced?

According to Rankiteo, Canada Revenue Agency - Agence du revenu du Canada currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.

Has Canada Revenue Agency - Agence du revenu du Canada been affected by any supply chain cyber incidents ?

According to Rankiteo, Canada Revenue Agency - Agence du revenu du Canada has not been affected by any supply chain cyber incidents, and no incident IDs are currently listed for the organization.

Does Canada Revenue Agency - Agence du revenu du Canada have SOC 2 Type 1 certification ?

According to Rankiteo, Canada Revenue Agency - Agence du revenu du Canada is not certified under SOC 2 Type 1.

Does Canada Revenue Agency - Agence du revenu du Canada have SOC 2 Type 2 certification ?

According to Rankiteo, Canada Revenue Agency - Agence du revenu du Canada does not hold a SOC 2 Type 2 certification.

Does Canada Revenue Agency - Agence du revenu du Canada comply with GDPR ?

According to Rankiteo, Canada Revenue Agency - Agence du revenu du Canada is not listed as GDPR compliant.

Does Canada Revenue Agency - Agence du revenu du Canada have PCI DSS certification ?

According to Rankiteo, Canada Revenue Agency - Agence du revenu du Canada does not currently maintain PCI DSS compliance.

Does Canada Revenue Agency - Agence du revenu du Canada comply with HIPAA ?

According to Rankiteo, Canada Revenue Agency - Agence du revenu du Canada is not compliant with HIPAA regulations.

Does Canada Revenue Agency - Agence du revenu du Canada have ISO 27001 certification ?

According to Rankiteo,Canada Revenue Agency - Agence du revenu du Canada is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.

Which industry does Canada Revenue Agency - Agence du revenu du Canada operate in ?

Canada Revenue Agency - Agence du revenu du Canada operates primarily in the Government Administration industry.

How many employees does Canada Revenue Agency - Agence du revenu du Canada have ?

Canada Revenue Agency - Agence du revenu du Canada employs approximately 16,790 people worldwide.

Does Canada Revenue Agency - Agence du revenu du Canada own any subsidiaries ?

Canada Revenue Agency - Agence du revenu du Canada presently has no subsidiaries across any sectors.

How many LinkedIn followers does Canada Revenue Agency - Agence du revenu du Canada have ?

Canada Revenue Agency - Agence du revenu du Canada's official LinkedIn profile has approximately 618,056 followers.

What is the NAICS classification code for Canada Revenue Agency - Agence du revenu du Canada ?

Canada Revenue Agency - Agence du revenu du Canada is classified under the NAICS code 92, which corresponds to Public Administration.

Does Canada Revenue Agency - Agence du revenu du Canada have a Crunchbase profile ?

No, Canada Revenue Agency - Agence du revenu du Canada does not have a profile on Crunchbase.

Does Canada Revenue Agency - Agence du revenu du Canada have a LinkedIn profile ?

Yes, Canada Revenue Agency - Agence du revenu du Canada maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/cra-arc.

How many cybersecurity incidents has Canada Revenue Agency - Agence du revenu du Canada experienced ?

As of June 14, 2026, Rankiteo reports that Canada Revenue Agency - Agence du revenu du Canada has experienced 7 cybersecurity incidents.

How many peer or competitor companies does Canada Revenue Agency - Agence du revenu du Canada have ?

Canada Revenue Agency - Agence du revenu du Canada has an estimated 12,888 peer or competitor companies worldwide.

What types of cybersecurity incidents has Canada Revenue Agency - Agence du revenu du Canada faced ?

Incident Types: The types of cybersecurity incidents that have occurred include Data Leak, Breach and Cyber Attack.

NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop

WindowsmacOSLinux

Download

Badge your company to reduce your risk score and your cyber insurance costs!

Link verified badges to your company page to build trust with insurers and customers.

Apply now and get your badge!

Internal validation & live display

Insurers and partners see a safer profile

Faster underwriting decisions

Trusted by insurers. Chosen by leaders.

Proud contributor to the Society of Actuaries.

CRAADRDC

Boost Score +25 with badge (5 left)

786

/1000

Fair

811

/1000

Good

Canada Revenue Agency - Agence du revenu du Canada Vendor Cyber Rating & Cyber Score

canada.ca

Add Your Compliance Badge

Welcome to the Canada Revenue Agency’s (CRA) official LinkedIn page! 🇨🇦 We take pride in our diverse workforce, which brings a wide range of skills and perspectives to the Canada Revenue Agency, and remain committed to fostering an inclusive workplace where everyone can thrive. We’re on a mission to better serve Canadians, with the goal to be trusted, fair, and helpful by putting people first. Our dedication has earned us recognition as one of Canada's Top Employers for Young People, Canada’s Best Diversity Employers and National Capital Region’s Top Employer. Follow us for more on job opportunities, important information about benefits, credits, and all things taxes. Terms and Conditions: http://ow.ly/XpI030iPAP9 Bienvenue sur la

CRAADRDC A.I CyberSecurity Scoring

Scoring History

CRAADRDC

Canada Revenue Agency - Agence du revenu du Canada CyberSecurity News & History

Past Incidents

Attack Types

Entity

Type

Severity

Impact

Seen

Blog Details

Supply Chain Source

Incident Details

View

Canada Revenue Agen...

Breach

10/2025

TRA270222710182...

Canada Revenue Agen...

Breach

5/2025

OFF100251009182...

Canada Revenue Agen...

Breach

10/2022

CAN206221122

Government of Canad...

Cyber Attack

3/2020

GOV1766174849

Canada Revenue Agen...

Data Leak

08/2018

GOV12181122

Canada Revenue Agen...

Breach

06/2018

CAN17246822

Canada Revenue Agen...

Cyber Attack

100

06/2015

GOV192330422

Loading…

A.I.

CRAADRDC Company Scoring based on AI Models

Cyber Incidents Likelihood 3 - 6 - 9 months

Actual

Prediction

Incident Predictions locked

Access Monitoring Plan

A.I Risk Score Likelihood 3 - 6 - 9 months

Actual

Prediction A

Prediction B

Prediction C

Prediction D

A.I. Risk Score Predictions locked

Access Monitoring Plan

Loading…

Underwriter Stats for CRAADRDC

Incidents vs Government Administration Industry Avg (This Year)

No incidents recorded for Canada Revenue Agency - Agence du revenu du Canada in 2026.

Incidents vs All-Companies Average (This Year)

No incidents recorded for Canada Revenue Agency - Agence du revenu du Canada in 2026.

Incident Types CRAADRDC vs Government Administration Industry Avg (This Year)

No incidents recorded for Canada Revenue Agency - Agence du revenu du Canada in 2026.

Incident History - CRAADRDC (X = Date, Y = Severity)

Loading…

SUBSIDIARY

Canada Revenue Agency - Agence du revenu du Canada Subsidiaries

CRAADRDC

Government Administration

Website: http://canada.ca/taxes

Company Size: 10,001+ employees

Government of CanadaGovernment Administration

Health Canada | Santé CanadaGovernment Administration

Service CanadaGovernment Administration

Statistics Canada | Statistique CanadaGovernment Administration

Canada Border Services Agency | Agence des services frontaliers du CanadaGovernment Administration

Public Health Agency of Canada | Agence de la santé publique du CanadaGovernment Administration

Public Services and Procurement Canada | Services publics et Approvisionnement CanadaGovernment Administration

PSPC Jobs | Emplois SPACGovernment Administration

Real Property Services / Services immobiliersGovernment Administration

Marine Procurement | Approvisionnement MaritimeShipbuilding

Translation Bureau | Bureau de la traductionGovernment Administration

Environment and Climate Change CanadaGovernment Administration

National Research Council Canada / Conseil national de recherches CanadaResearch Services

Finance Canada / Finances CanadaGovernment Administration

Innovation, Science and Economic Development Canada | Innovation, Sciences et Développement économique CanadaGovernment Administration

Innovative Solutions CanadaGovernment Relations Services

Canada Digital Adoption Program | Programme canadien d'adoption du numériqueGovernment Relations Services

Canadian Armed Forces | Forces armées canadiennesArmed Forces

Transport Canada - Transports CanadaGovernment Administration

Department of Justice Canada | Ministère de la Justice du CanadaGovernment Administration

Canadian Food Inspection AgencyGovernment Administration

Immigration and Refugee Board of Canada | Commission de l'immigration et du statut de réfugiéGovernment Administration

Canada Mortgage and Housing Corporation (CMHC) Société canadienne d'hypothèques et de logement(SCHL)Government Administration

Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du CanadaGovernment Administration

Public Safety Canada | Sécurité publique CanadaPublic Safety

Canadian Institutes of Health Research | Instituts de recherche en santé du CanadaGovernment Administration

Trade Commissioner Service | Service des délégués commerciauxInternational Trade and Development

Emploi et Développement social Canada (EDSC) / Employment and Social Development Canada (ESDC)Government Administration

Labour ProgramGovernment Administration

Programme du travailGovernment Administration

Canada 2030 AgendaGovernment Administration

Programme 2030 CanadaGovernment Administration

Natural Sciences and Engineering Research Council of Canada (NSERC)Government Administration

Federal Economic Development Agency for Southern Ontario | Agence fédérale de ...Government Administration

Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du CanadaGovernment Administration

Canadian Centre for Occupational Health and SafetyGovernment Administration

Shared Services Canada | Services partagés CanadaGovernment Administration

WAGE / FEGCGovernment Administration

Veterans Affairs Canada / Anciens Combattants CanadaGovernment Administration

Canada School of Public Service | École de la fonction publique du CanadaGovernment Administration

Doing Business with the Government of Canada | Faire affaire avec le gouvernement du CanadaGovernment Administration

Canadian Armed Forces | Forces armées canadiennesArmed Forces

SSHRC-CRSHGovernment Administration

Prairies Economic Development Canada I Développement économique Canada pour les PrairiesGovernment Administration

Communications Security Establishment Canada | Centre de la sécurité des télécommunications CanadaGovernment Administration

ACOA - APECAGovernment Administration

CRTCTelecommunications

Commission de la fonction publique du Canada | Public Service Commission of CanadaGovernment Administration

Canadian Intellectual Property Office / Office de la propriété intellectuelle du CanadaGovernment Administration

Competition Bureau CanadaLaw Enforcement

Public Prosecution Service of Canada | Service des poursuites pénales du CanadaGovernment Administration

Policy Horizons Canada - Horizons de politiques CanadaGovernment Administration

Canada Economic Development for Quebec RegionsGovernment Administration

Get Cyber SafeGovernment Administration

My Source | Ma sourceGovernment Administration

Bureau de la concurrence CanadaLaw Enforcement

Inside ECCC | Ici à ECCCGovernment Administration

Régie de l’énergie du CanadaGovernment Administration

Pensez cybersécuritéGovernment Administration

Centre canadien d'hygiène et de sécurité au travail (CCHST)Government Administration

Loading…

Canada Revenue Agency - Agence du revenu du Canada Similar Companies

State of Tennessee

tn.gov

State government is the largest employer in Tennessee, with approximately 43,500 employees in the three branches of government. The State of Tennessee has approximately 1,300 different job classifications in areas such as administrative, health services, historic preservation, legal, agriculture, counseling, and medical. If you are interested in becoming a data scientist, attorney, nurse, wildlife officer, physician, education consultant, trooper, computer programmer or an epidemiologist, explore all of the job opportunities the State of Tennessee has to offer. The State is looking to recruit, retain, and reward a talented workforce through the implementation of a merit-based pay system. Stop back often for news, updates and opportunities -- thanks for visiting!

IBGE

ibge.gov.br

The Brazilian Institute of Geography and Statistics or IBGE (Portuguese: Instituto Brasileiro de Geografia e Estatística), is the agency responsible for statistical, geographic, cartographic, geodetic and environmental information in Brazil. The IBGE performs a national census every ten years, and the questionnaires account for information such as age, household income, literacy, education, occupation and hygiene levels. IBGE is an institution of the Federal Government, constituted a public foundation by Decree Law No. 161 of February 13, 1967, and is bound to the Brazilian Department of Planning, Budget and Management. It has four directors and two other central organs. IBGE has a network of national research and dissemination components, comprising: 27 state units (26 in state capitals and one in the Federal District); 27 centres for documentation and dissemination of information (26 in the capital and one in the Federal District); 581 data collection agencies in major cities. The IBGE also maintains the Roncador Ecological Reserve, situated 35 km south of Brasília.

Västra Götalandsregionen

vgregion.se

Region Västra Götaland is governed by democratically elected politicians and with just over 50,000 employees is one of Sweden’s biggest employers. It is tasked with offering good healthcare and dental care and providing the prerequisites for good public health, a rich cultural life, a good environment, jobs, research, education and good communications. All together, these provide a foundation for sustainable growth in Västra Götaland. Koncernen Västra Götalandsregionen finns till för människorna i Västra Götaland och för allt som ligger invånarna nära: jobb, utbildning, hälso- och sjukvård, kultur och kommunikationer. Västra Götalandsregionen ska bidra till hälsa och trygghet i vardagen och för ett livskraftigt Västra Götaland nu och i framtiden. Vi har ett gemensamt ansvar att se till den enskilda människans behov och till regionmedborgarnas samlade behov för att uppnå visionen Det goda livet. Det gör vi inom våra tre ansvarsområden: Hälso- och sjukvård, tillväxt och utveckling och kollektivtrafik. Koncernen har drygt 50 000 medarbetare som arbetar inom framförallt hälso-och sjukvård men även inom kollektivtrafik, kulturverksamhet, skolor, folktandvård, lokal- och fastighetsförvaltning och folkhälsofrågor. Att arbeta i Västra Götalandsregionen gör avtryck – hos människor, i samhället och för framtiden. Lediga tjänster finns på: www.vgregion.se/jobb

State of Maryland

jobapscloud.com

Maryland is on the path to becoming the best state in the nation. Referred to as “America in Miniature”, Maryland embodies the very spirit of the United States. Maryland is home to ethnic groups of every origin, just about every natural feature, and much like our country, opportunity! If you are interested in a rewarding career in public service, consider the following: Full-time employment Part-time employment Contractual work Internships Seasonal work Maryland, where your work truly matters… Join us! State Jobs: https://www.jobaps.com/md/ State of Maryland homepage: http://www.maryland.gov/Pages/default.aspx

NOAA: National Oceanic & Atmospheric Administration

cb noaa.gov

Welcome! We're the National Oceanic & Atmospheric Administration or NOAA. From daily weather forecasts, severe storm warnings and climate monitoring to fisheries management, coastal restoration and supporting marine commerce, our products and services support economic vitality and affect more than one-third of America’s gross domestic product. NOAA’s dedicated scientists use cutting-edge research and high-tech instrumentation to provide citizens, planners, emergency managers and other decision makers with reliable information they need when they need it. *Looking for your official local weather forecast? Enter your zip code at www.weather.gov or mobile.weather.gov for mobile device users. *Interested in working for NOAA? Find job openings by typing "NOAA" in the search field at www.USAjobs.gov. Connect with us on social media: X: @NOAA Bluesky: noaa.gov Facebook: www.facebook.com/noaa Instagram: www.instagram.com/noaa YouTube: www.youtube.com/noaa LinkedIn: www.linkedin.com/company/noaa For a list of NOAA's major social media channels by mission area, please visit www.noaa.gov/stay-connected

City of Los Angeles

linkpages.pro

The City of Los Angeles employs more than 45,000 people in a wide range of careers. Visit our website for information on current openings, including regular civil service positions, exempt and emergency appointment opportunities, in addition to internships! The City of Los Angeles is a Mayor-Council-Commission form of government, as originally adopted by voters of the City of Los Angeles, effective July 1, 1925, and reaffirmed by a new Charter effective July 1, 2000. A Mayor, City Controller, and City Attorney are elected by City residents every four years. Fifteen City Council members representing fifteen districts are elected by the people for four-year terms, for a maximum of two terms. Members of Commissions are generally appointed by the Mayor, subject to the approval of the City Council. General Managers of the various City departments are also appointed by the Mayor, subject to confirmation by the City Council. Most employees of the City are subject to the civil service provisions of the City Charter.

State of Ohio

ohio.gov

Employment with the State of Ohio is more than ‘just a job’ – it is a privilege to serve our families, friends and neighbors who rely on us throughout our great state. We are a team of dedicated public servants committed to high performance, innovative thinking, and delivering excellent and efficient services. Our goal is to recruit and retain the best talent for our positions, because when we have the best talent, we get the best results for our community. We are #TeamOhio.

Commonwealth of Massachusetts

cb mass.gov

Year after year, the Commonwealth of Massachusetts has continued to pioneer bold legislative actions and programs, some of which have been embraced on a national scale. We are always looking for talented individuals to help us maintain this momentum and improve the services that millions of people depend on every day. If you’re looking for an innovative work environment where you can really make a difference, check out the job opportunities with the Commonwealth of Massachusetts. This page is managed according to the Mass.gov social media policy: https://www.mass.gov/info-details/massgov-social-media-policy. Comments that do not follow our policy may be removed.

Nav

nav.no

Nav er en viktig del av sikkerhetsnettet i velferdsstaten. Vi skal bidra til at flere kommer i arbeid og færre går på stønad, og samtidig sørge for at de som trenger det er sikra inntekt og økonomisk trygghet gjennom rett pengestøtte til rett tid. For å løse dette samfunnsoppdraget forvalter Nav om lag en tredel av statsbudsjettet, gjennom ordninger som arbeidsrettede tiltak, dagpenger, arbeidsavklaringspenger, sykepenger, pensjon, økonomisk sosialhjelp, foreldrepenger, barnetrygd og kontantstøtte. Nav tilbyr tjenester, ytelser og stønader til både privatpersoner og arbeidsgivere. For å sikre helhetlige tjenester, samarbeider vi tett med arbeidslivet, kommune-, helse- og utdanningssektoren, andre statlige virksomheter og frivillige aktører.

Loading…

NEWS

Canada Revenue Agency - Agence du revenu du Canada CyberSecurity News

Latest updates, reports, and threat intel affecting the global network.

July 03, 2025 07:00 AM

T5018 slip – Statement of contract payments

A T5018 slip identifies the total contract payments made to a recipient by a contractor in a calendar year or fiscal period.

Read Article

June 05, 2025 07:00 AM

Prioritizing privacy in a data-driven world

2024-2025 Annual Report to Parliament on the Privacy Act and the Personal Information Protection and Electronic Documents Act...

Read Article

May 23, 2025 07:00 AM

Canada Revenue Agency cutting up to 280 jobs, mainly in national capital region

The Canada Revenue Agency (CRA) is cutting up to 280 more employees this spring, the latest announcement of job cuts at the federal department over the past...

Read Article

October 28, 2024 07:00 AM

Tens of thousands of taxpayer accounts hacked as CRA repeatedly paid out millions in bogus refunds

At the height of this year's tax season, the Canada Revenue Agency discovered that hackers had obtained confidential data used by one of the...

Read Article

February 27, 2024 08:00 AM

Canada says cannabis wholesalers must garnish payments over unpaid taxes

Canada's tax collection agency is garnishing cash from licensed cannabis producers that are delinquent on their excise duty payments.

Read Article

March 01, 2023 08:00 AM

CRA Scams Looking More and More Like The Real Thing: Expert

Cybersecurity experts are warning the public about the latest iteration of Canada Revenue Agency-style scams w...

Read Article

February 16, 2023 08:00 AM

Sweet v Canada: Federal Court Of Canada certified privacy breach class action against CRA

In Sweet v Canada, the Federal Court of Canada certified a class action lawsuit over a CRA personal and financial data breach at the Canada...

Read Article

September 16, 2022 07:00 AM

The making of music: is a master recording tangible or intangible property?

This article is part one of a four-part series that explores the Unidisc decisions and goes into detail on the issues of music masters,...

Read Article

February 17, 2021 08:00 AM

CRA locks online accounts amid investigation, leaving users worried

The Canada Revenue Agency has locked more than 100000 taxpayers out of its online platform, telling users their email addresses have been...

Read Article

Loading…

CVE

Latest

Global CVEs (Not Company-Specific)

CVE-2026-12175

SUMMARY

A vulnerability was detected in CodeAstro Student Attendance Management System 1.0. Impacted is an unknown function of the file /attendance-php/Admin/createStudents.php. Performing a manipulation of the argument admissionNumber results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.

Published

Date2026-06-13

Updated

Date2026-06-13

RISK INFORMATION (Score: 4.7)

cvss2

Base Score: 5.8

Complexity: LOW

AV:N/AC:L/Au:M/C:P/I:P/A:P

cvss3

Base Score: 4.7

Complexity: LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

cvss4

Base Score: 2.0

Complexity: LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Impact Score

3.4

Exploitability

1.2

REFERENCES

CVE-2026-12174

SUMMARY

A security vulnerability has been detected in D-Link DCS-935L 1.10.01. This issue affects the function snprintf of the file /web/cgi-bin/greece/rhea of the component HTTP Handler. Such manipulation of the argument data leads to format string. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

Published

Date2026-06-13

Updated

Date2026-06-13

RISK INFORMATION (Score: 8.8)

cvss2

Base Score: 9.0

Complexity: LOW

AV:N/AC:L/Au:S/C:C/I:C/A:C

cvss3

Base Score: 8.8

Complexity: LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

cvss4

Base Score: 7.4

Complexity: LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Impact Score

5.9

Exploitability

2.8

REFERENCES

CVE-2026-12183

SUMMARY

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.

Published

Date2026-06-13

Updated

Date2026-06-13

RISK INFORMATION (Score: 9.8)

cvss3

Base Score: 9.8

Complexity: LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

cvss4

Base Score: 9.3

Complexity: LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Impact Score

5.9

Exploitability

3.9

REFERENCES

CVE-2026-6428

SUMMARY

SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/. The vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters: my $f = @$filters[0]; $f =~ s/\*/%/g; $strsth2 .= " AND $column LIKE '$f' "; This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions. Proof of concept (error-based, single request): GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+- Cookie: CGISESSID=<LIBRARIAN_SESSION> The response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...). The vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.

Published

Date2026-06-13

Updated

Date2026-06-13

RISK INFORMATION (Score: 7.6)

cvss2

Base Score: 7.5

Complexity: LOW

AV:N/AC:L/Au:S/C:C/I:N/A:P

cvss3

Base Score: 7.6

Complexity: LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

cvss4

Base Score: 5.6

Complexity: LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:C/RE:X/U:Amber

Impact Score

4.7

Exploitability

2.8

REFERENCES

CVE-2026-5513

SUMMARY

The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires 'Remember personal information in cookies' setting to be enabled (disabled by default).

Published

Date2026-06-13

Updated

Date2026-06-13

RISK INFORMATION (Score: 7.2)

cvss3

Base Score: 7.2

Complexity: LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Impact Score

2.7

Exploitability

3.9

REFERENCES

Loading…

API

Access Data Using Our API

Get company history

curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?
linkedin_id=axa' -H 'apikey: YOUR_API_KEY_HERE'

Try It API Documentation Rapid

MEASURE

What Do We Measure ?

Incident

Finding

Grade

Digital Assets

Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.

These are some of the factors we use to calculate the overall score:

Network SecurityIdentify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.

SBOM (Software Bill of Materials)Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.

CMDB (Configuration Management Database)Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.

Threat IntelligenceLeverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.

Rankiteo

By Rankiteo

★ ★ ★ ★ ★

View on G2.com

Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.

View latest plans →View all security reports →

MILESTONEG

Users
Love Us

Loading…