What is the official website of Finance Canada / Finances Canada ?

The official website of Finance Canada / Finances Canada is https://fin.canada.ca.

What is Finance Canada / Finances Canada's cybersecurity risk score?

Finance Canada / Finances Canada has an AI-generated cybersecurity risk score of 770 out of 1000, indicating a Fair security posture according to Rankiteo's assessment.

How many security incidents has Finance Canada / Finances Canada experienced?

According to Rankiteo, Finance Canada / Finances Canada currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.

Has Finance Canada / Finances Canada been affected by any supply chain cyber incidents ?

According to Rankiteo, Finance Canada / Finances Canada has not been affected by any supply chain cyber incidents, and no incident IDs are currently listed for the organization.

Does Finance Canada / Finances Canada have SOC 2 Type 1 certification ?

According to Rankiteo, Finance Canada / Finances Canada is not certified under SOC 2 Type 1.

Does Finance Canada / Finances Canada have SOC 2 Type 2 certification ?

According to Rankiteo, Finance Canada / Finances Canada does not hold a SOC 2 Type 2 certification.

Does Finance Canada / Finances Canada comply with GDPR ?

According to Rankiteo, Finance Canada / Finances Canada is not listed as GDPR compliant.

Does Finance Canada / Finances Canada have PCI DSS certification ?

According to Rankiteo, Finance Canada / Finances Canada does not currently maintain PCI DSS compliance.

Does Finance Canada / Finances Canada comply with HIPAA ?

According to Rankiteo, Finance Canada / Finances Canada is not compliant with HIPAA regulations.

Does Finance Canada / Finances Canada have ISO 27001 certification ?

According to Rankiteo,Finance Canada / Finances Canada is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.

Which industry does Finance Canada / Finances Canada operate in ?

Finance Canada / Finances Canada operates primarily in the Government Administration industry.

How many employees does Finance Canada / Finances Canada have ?

Finance Canada / Finances Canada employs approximately 895 people worldwide.

Does Finance Canada / Finances Canada own any subsidiaries ?

Finance Canada / Finances Canada presently has no subsidiaries across any sectors.

How many LinkedIn followers does Finance Canada / Finances Canada have ?

Finance Canada / Finances Canada's official LinkedIn profile has approximately 208,151 followers.

What is the NAICS classification code for Finance Canada / Finances Canada ?

Finance Canada / Finances Canada is classified under the NAICS code 92, which corresponds to Public Administration.

Does Finance Canada / Finances Canada have a Crunchbase profile ?

No, Finance Canada / Finances Canada does not have a profile on Crunchbase.

Does Finance Canada / Finances Canada have a LinkedIn profile ?

Yes, Finance Canada / Finances Canada maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/finance-canada.

How many cybersecurity incidents has Finance Canada / Finances Canada experienced ?

As of June 14, 2026, Rankiteo reports that Finance Canada / Finances Canada has experienced 7 cybersecurity incidents.

How many peer or competitor companies does Finance Canada / Finances Canada have ?

Finance Canada / Finances Canada has an estimated 12,888 peer or competitor companies worldwide.

What types of cybersecurity incidents has Finance Canada / Finances Canada faced ?

Incident Types: The types of cybersecurity incidents that have occurred include Data Leak, Breach and Cyber Attack.

NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop

WindowsmacOSLinux

Download

Badge your company to reduce your risk score and your cyber insurance costs!

Link verified badges to your company page to build trust with insurers and customers.

Apply now and get your badge!

Internal validation & live display

Insurers and partners see a safer profile

Faster underwriting decisions

Trusted by insurers. Chosen by leaders.

Proud contributor to the Society of Actuaries.

FCFC

Boost Score +25 with badge (5 left)

770

/1000

Fair

795

/1000

Fair

Finance Canada / Finances Canada Vendor Cyber Rating & Cyber Score

canada.ca

Add Your Compliance Badge

The Department helps the Government of Canada develop and implement strong and sustainable economic, fiscal, tax, social, security, international and financial sector policies and programs. The Department ensures that ministers are supported with high-quality analysis and advice and it plays an important central agency role, working with other departments to ensure that the government's agenda is carried out. Terms and Conditions: https://www.canada.ca/en/department-finance/corporate/terms-conditions.html __ Le Ministère aide le gouvernement du Canada à élaborer et à mettre en œuvre des politiques et des programmes solides et durables sur les plans économique, fiscal, social, de même qu'en matière de sécurité et dans les secteurs

FCFC A.I CyberSecurity Scoring

Scoring History

FCFC

Finance Canada / Finances Canada CyberSecurity News & History

Past Incidents

Attack Types

Entity

Type

Severity

Impact

Seen

Blog Details

Supply Chain Source

Incident Details

View

Finance Canada / Fi...

Breach

10/2025

TRA270222710182...

Finance Canada / Fi...

Breach

5/2025

OFF100251009182...

Finance Canada / Fi...

Breach

10/2022

CAN206221122

Government of Canad...

Cyber Attack

3/2020

GOV1766174849

Finance Canada / Fi...

Data Leak

08/2018

GOV12181122

Finance Canada / Fi...

Breach

06/2018

CAN17246822

Finance Canada / Fi...

Cyber Attack

100

06/2015

GOV192330422

Loading…

A.I.

FCFC Company Scoring based on AI Models

Cyber Incidents Likelihood 3 - 6 - 9 months

Actual

Prediction

Incident Predictions locked

Access Monitoring Plan

A.I Risk Score Likelihood 3 - 6 - 9 months

Actual

Prediction A

Prediction B

Prediction C

Prediction D

A.I. Risk Score Predictions locked

Access Monitoring Plan

Loading…

Underwriter Stats for FCFC

Incidents vs Government Administration Industry Avg (This Year)

No incidents recorded for Finance Canada / Finances Canada in 2026.

Incidents vs All-Companies Average (This Year)

No incidents recorded for Finance Canada / Finances Canada in 2026.

Incident Types FCFC vs Government Administration Industry Avg (This Year)

No incidents recorded for Finance Canada / Finances Canada in 2026.

Incident History - FCFC (X = Date, Y = Severity)

Loading…

SUBSIDIARY

Finance Canada / Finances Canada Subsidiaries

FCFC

Government Administration

Website: https://fin.canada.ca

Company Size: 501-1,000 employees

Government of CanadaGovernment Administration

Canada Revenue Agency - Agence du revenu du CanadaGovernment Administration

Health Canada | Santé CanadaGovernment Administration

Statistics Canada | Statistique CanadaGovernment Administration

Service CanadaGovernment Administration

Canada Border Services Agency | Agence des services frontaliers du CanadaGovernment Administration

National Research Council Canada / Conseil national de recherches CanadaResearch Services

Public Health Agency of Canada | Agence de la santé publique du CanadaGovernment Administration

Public Services and Procurement Canada | Services publics et Approvisionnement CanadaGovernment Administration

PSPC Jobs | Emplois SPACGovernment Administration

Real Property Services / Services immobiliersGovernment Administration

Marine Procurement | Approvisionnement MaritimeShipbuilding

Translation Bureau | Bureau de la traductionGovernment Administration

Environment and Climate Change CanadaGovernment Administration

Canadian Armed Forces | Forces armées canadiennesArmed Forces

Transport Canada - Transports CanadaGovernment Administration

Department of Justice Canada | Ministère de la Justice du CanadaGovernment Administration

Canadian Food Inspection AgencyGovernment Administration

Canada Mortgage and Housing Corporation (CMHC) Société canadienne d'hypothèques et de logement(SCHL)Government Administration

Canadian Institutes of Health Research | Instituts de recherche en santé du CanadaGovernment Administration

Immigration and Refugee Board of Canada | Commission de l'immigration et du statut de réfugiéGovernment Administration

Emploi et Développement social Canada (EDSC) / Employment and Social Development Canada (ESDC)Government Administration

Labour ProgramGovernment Administration

Canada 2030 AgendaGovernment Administration

Programme du travailGovernment Administration

Programme 2030 CanadaGovernment Administration

Public Safety Canada | Sécurité publique CanadaPublic Safety

Trade Commissioner Service | Service des délégués commerciauxInternational Trade and Development

Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du CanadaGovernment Administration

Natural Sciences and Engineering Research Council of Canada (NSERC)Government Administration

Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du CanadaGovernment Administration

Communications Security Establishment Canada | Centre de la sécurité des télécommunications CanadaGovernment Administration

Canadian Centre for Occupational Health and SafetyGovernment Administration

Federal Economic Development Agency for Southern Ontario | Agence fédérale de ...Government Administration

Shared Services Canada | Services partagés CanadaGovernment Administration

WAGE / FEGCGovernment Administration

SSHRC-CRSHGovernment Administration

Veterans Affairs Canada / Anciens Combattants CanadaGovernment Administration

Canada School of Public Service | École de la fonction publique du CanadaGovernment Administration

Prairies Economic Development Canada I Développement économique Canada pour les PrairiesGovernment Administration

Commission de la fonction publique du Canada | Public Service Commission of CanadaGovernment Administration

ACOA - APECAGovernment Administration

Doing Business with the Government of Canada | Faire affaire avec le gouvernement du CanadaGovernment Administration

Canadian Intellectual Property Office / Office de la propriété intellectuelle du CanadaGovernment Administration

CRTCTelecommunications

Canada Economic Development for Quebec RegionsGovernment Administration

Public Prosecution Service of Canada | Service des poursuites pénales du CanadaGovernment Administration

Competition Bureau CanadaLaw Enforcement

Policy Horizons Canada - Horizons de politiques CanadaGovernment Administration

Get Cyber SafeGovernment Administration

Innovation, Science and Economic Development CanadaGovernment Administration

Innovative Solutions CanadaGovernment Relations Services

Canada Digital Adoption Program | Programme canadien d'adoption du numériqueGovernment Relations Services

Canadian Armed Forces | Forces armées canadiennesArmed Forces

Pensez cybersécuritéGovernment Administration

Régie de l’énergie du CanadaGovernment Administration

My Source | Ma sourceGovernment Administration

Bureau de la concurrence CanadaLaw Enforcement

Inside ECCC | Ici à ECCCGovernment Administration

Centre canadien d'hygiène et de sécurité au travail (CCHST)Government Administration

Loading…

Finance Canada / Finances Canada Similar Companies

United States Postal Service

usps.com

As the United States Postal Service continues its evolution as a forward-thinking, fast-acting company capable of providing quality products and services for its customers, it continues to remember and celebrate its roots as the first national network of communications that literally bound a nation together. Ours is a proud heritage built on a simple yet profound mission: Bind the nation together. Connect every American, every door, every business, everywhere through the simple act of delivering mail and packages. This idea of universal service is at the heart of the $1.4 trillion industry that employs more than 7.5 million people and drives commerce, plays an integral part in every American community and remains the greatest value of any post in the world. The Postal Service delivers more mail to more addresses in a larger geographical area than any other post in the world. The Postal Service delivers to more than 157 million addresses in every state, city and town in this country. Everyone living in the United States and its territories has access to postal products and services and pays the same postage regardless of their location. The Postal Service receives no tax dollars for operating expenses and relies on the sale of postage, products and services to fund its operations. Facebook: www.facebook.com/usps Twitter: www.twitter.com/usps Instagram: www.instagram.com/uspostalservice Pinterest: www.pinterest.com/uspsstamps YouTube: www.youtube.com/usps Corporate Blog: www.uspsblog.com This profile, while affiliated with the U.S. Postal Service®, is not an official customer service page. Please use one of the methods described below to receive assistance. Get help on twitter @USPSHelp or call 800-275-8777or go to go.usa.gov/help Thank you

State of Ohio

ohio.gov

Employment with the State of Ohio is more than ‘just a job’ – it is a privilege to serve our families, friends and neighbors who rely on us throughout our great state. We are a team of dedicated public servants committed to high performance, innovative thinking, and delivering excellent and efficient services. Our goal is to recruit and retain the best talent for our positions, because when we have the best talent, we get the best results for our community. We are #TeamOhio.

Texas Health and Human Services

texas.gov

Overview The Texas Health and Human Services Commission (HHSC) is an agency within the Texas Health and Human Services System. In September 2016, Texas began transforming how it delivers health and human services to qualified Texans, with a goal of making the Health and Human Services System more efficient and effective. Sept. 1, 2017, marked another major milestone in this transformation. The new accountable, restructured system: - Makes it easier for people to find out about the services or benefits for which they may qualify. - Better integrates programs by removing bureaucratic silos and grouping similar programs and services together. - Creates clear lines of accountability within the organization. - Includes well-defined and objective performance metrics for all organizational areas. Texas Health and Human Services now consists of 2 agencies: the Texas Health and Human Services Commission and the Texas Department of State Health Services (DSHS). HHS is headquartered in Austin, TX. Services Provided - Medicaid for families and children - Long-term care for people who are older or have disabilities - SNAP (Supplemental Nutrition Assistance Program) food benefits and TANF (Temporary Assistance For Needy Families) cash assistance for families Behavior health services - Services to help keep people who are older or who have disabilities in their homes or communities - Services for women or other people with special health needs Oversight of Regulatory Functions - Licensing and credentialing of long-term care facilities, such as nursing homes and assisted living - Licensing child care providers - Managing the day-to-day operations of state supported living centers and state hospitals

INSS

inss.gov.br

O Instituto Nacional do Seguro Social (INSS) é uma autarquia do Governo Federal do Brasil que recebe as contribuições para a manutenção do Regime Geral da Previdência Social, sendo responsável pelo pagamento da aposentadoria, pensão por morte, auxílio-doença, auxílio-acidente, entre outros benefícios previstos em lei. O INSS trabalha junto com a Dataprev, empresa de tecnologia que faz o processamento de todos os dados da Previdência. Está vinculado ao Ministério da Previdência Social.

CONICET

conicet.gov.ar

El Consejo Nacional de Investigaciones Científicas y Técnicas (CONICET) es el principal organismo dedicado a la promoción de la ciencia y la tecnología en la Argentina. Su actividad se desarrolla en cuatro grandes áreas: • Ciencias agrarias, ingeniería y de materiales • Ciencias biológicas y de la salud • Ciencias exactas y naturales • Ciencias sociales y humanidades En el CONICET, además promovemos y gestionamos la transferencia de tecnologías, servicios y capacidades de Investigación y Desarrollo (I+D) que genera su comunidad científica hacia los sectores socioproductivos, Pymes, Gobiernos, organismos públicos y la sociedad civil. En ese sentido: • Conectamos recursos humanos altamente especializados con empresarios/as para generar oportunidades conjuntas. • Impulsamos la participación con cámaras y asociaciones empresarias, parques tecnológicos e industriales, organismos del Estado, ONG, organizaciones civiles, y redes nacionales e internacionales de vinculación tecnológica. • Facilitamos la transferencia al sector productivo mediante procesos de escalado, pruebas de concepto, entre otros. • Promovemos la creación de Empresas de Base Tecnológica. El CONICET es un ente autárquico del Estado Nacional en jurisdicción del Ministerio de Ciencia, Tecnología e Innovación.

Department of Education and Youth

www.gov.ie

The Department of Education and Youth is a ministerial department of the Irish State with responsibility for education. Our mission to facilitate children and young people, through learning, to achieve their full potential and contribute to Ireland’s social, economic and cultural development. The current Minister for Education is Hildegarde Naughton TD, and the Minister of State with responsiblity for Special Education and Inclusion is Michael Moynihan TD.

I WORK FOR SA

sa.gov.au

The OFFICIAL careers page for the South Australian Government. The South Australian Public Sector is the State's largest workforce. We are an employer of choice that reflects the diverse community we serve. Our people are from a range of backgrounds and vocations, from entry level, mid-career and leadership professionals as well as graduates, apprentices and trainees. As a public sector employee, you can be proud that the work you do supports our community and our State's prosperity. For a career with more opportunity, flexibility and purpose, visit IWORKFOR.SA.gov.au

Region Midtjylland

regionmidtjylland.dk

Central Denmark Region is one of five regions in Denmark. Denmark is organised at three political and administrative levels: the national (government), the regional (5 regions) and the municipal level (98 municipalities). Each region is led by a Regional Council, consisting of 41 politicians elected every four years. The regions' responsibilities are within the areas of health, psychiatry, social og regional development. The region must secure the overall strategy and at the same time top quality services; be it in the personal educational contact at institutions or when a patient needs nerve fibre surgery. Facts - Central Denmark Region Central Denmark Region covers 19 municipalities and an area of 13,000 square kilometres. Central Denmark Region has a population of 1.3 million people - approx. 23% of the population in Denmark. Central Denmark Region has a gross budget of 28.9 billion DKK (2019). Central Denmark Region has approx. 30.000 employees. Health, psychiatry and social The primary responsibility of Central Denmark Region is healthcare. This includes being responsible for the nine somatic hospitals and eight psychiatric hospital departments, pre-hospital emergency services, general practitioners and practising specialist doctors. The region also operates a number of specialised social care institutions in agreement with local municipalities. Regional development Central Denmark Region is also responsible for regional development within the areas of public transport/mobility, education, culture and environment (soil contamination, groundwater protection and raw materials planning).

Belastingdienst

belastingdienst.nl

De organisatie bestaat uit diverse onderdelen, waaronder de Belastingdienst, Douane, Toeslagen, FIOD en enkele facilitaire organisaties. Met ruim 30.000 medewerkers werken we in kantoren die verspreid zijn over het hele land. Gezamenlijk heffen, innen en controleren we belastingen. Daarnaast zorgen we ook voor het uitbetalen van toeslagen. En zijn we verantwoordelijk voor douanetaken en het opsporen van fraude. De Belastingdienst is een organisatie die 24 uur per dag, 7 dagen per week in dienst staat van de samenleving. Waar jaarlijks miljoenen aangiften worden behandeld, en waar voor honderden miljoenen aan toeslagen worden uitbetaald. En waar de Douane dagelijks zorgt voor de vlotte en veilige in- en uitvoer van tonnen goederen. Ondanks deze grote aantallen streven wij waar mogelijk naar individuele en persoonlijke dienstverlening. En in de vorm van bijvoorbeeld convenanten en partnerships werken wij ook zo goed mogelijk samen met het bedrijfsleven en andere ketenpartners. De Belastingdienst: grootschalig, veelzijdig en altijd maatschappelijk relevant.

Loading…

NEWS

Finance Canada / Finances Canada CyberSecurity News

Latest updates, reports, and threat intel affecting the global network.

January 07, 2026 10:56 PM

Hacking to learn: Building Canada's cyber workforce

Inside Tom Levasseur's CyberSci program and the hands-on revolution in cybersecurity education.

Read Article

December 11, 2025 08:00 AM

EY US - Home | Building a better working world

This AI survey shows how AI investments are turning into business productivity gains and significant financial performance.

Read Article

December 09, 2025 08:00 AM

Navigating Canada’s emerging AI landscape: Risks and realities for financial professionals

Canada's AI regulatory landscape for financial institutions is still taking shape. Without an overarching federal statute, the financial...

Read Article

October 24, 2025 01:15 AM

The emerging cybersecurity risks facing Canada’s public sector

How government and public-sector leaders can foster cyber resilience while laying the foundation for new citizen services.

Read Article

October 02, 2025 12:44 PM

Protecting yourself online: A Fraud Prevention Toolkit for Newcomers to Canada

The Canadian Bankers Association's Fraud Prevention toolkit for Newcomers to Canada, developed in collaboration with Get Cyber Safe, aims to educate...

Read Article

September 17, 2025 07:00 AM

Keeping the lights on: Canada's OT cybersecurity wake-up call

Why Canada's critical infrastructure faces growing cyber risks — and what must be done to protect it.

Read Article

September 11, 2025 07:00 AM

From finance to the frontlines of cybersecurity

Mary Carmichael blends business acumen, technical depth and community leadership to shape a more resilient and inclusive cybersecurity...

Read Article

September 09, 2025 07:00 AM

Canada’s major financial services, telecommunication, and technology companies unite with law enforcement and government to target growing threat posed by scams

Canada's major financial services, telecommunications, and technology companies are uniting with law enforcement and the federal government...

Read Article

September 06, 2025 07:00 AM

The Complete Guide to Using AI in the Financial Services Industry in Canada in 2025

Beginner's guide to using AI in Canada's financial services (2025): regulations, risks, governance, cybersecurity, city hubs and 2025...

Read Article

Loading…

CVE

Latest

Global CVEs (Not Company-Specific)

CVE-2026-12175

SUMMARY

A vulnerability was detected in CodeAstro Student Attendance Management System 1.0. Impacted is an unknown function of the file /attendance-php/Admin/createStudents.php. Performing a manipulation of the argument admissionNumber results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.

Published

Date2026-06-13

Updated

Date2026-06-13

RISK INFORMATION (Score: 4.7)

cvss2

Base Score: 5.8

Complexity: LOW

AV:N/AC:L/Au:M/C:P/I:P/A:P

cvss3

Base Score: 4.7

Complexity: LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

cvss4

Base Score: 2.0

Complexity: LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Impact Score

3.4

Exploitability

1.2

REFERENCES

CVE-2026-12174

SUMMARY

A security vulnerability has been detected in D-Link DCS-935L 1.10.01. This issue affects the function snprintf of the file /web/cgi-bin/greece/rhea of the component HTTP Handler. Such manipulation of the argument data leads to format string. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

Published

Date2026-06-13

Updated

Date2026-06-13

RISK INFORMATION (Score: 8.8)

cvss2

Base Score: 9.0

Complexity: LOW

AV:N/AC:L/Au:S/C:C/I:C/A:C

cvss3

Base Score: 8.8

Complexity: LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

cvss4

Base Score: 7.4

Complexity: LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Impact Score

5.9

Exploitability

2.8

REFERENCES

CVE-2026-12183

SUMMARY

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.

Published

Date2026-06-13

Updated

Date2026-06-13

RISK INFORMATION (Score: 9.8)

cvss3

Base Score: 9.8

Complexity: LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

cvss4

Base Score: 9.3

Complexity: LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Impact Score

5.9

Exploitability

3.9

REFERENCES

CVE-2026-6428

SUMMARY

SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/. The vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters: my $f = @$filters[0]; $f =~ s/\*/%/g; $strsth2 .= " AND $column LIKE '$f' "; This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions. Proof of concept (error-based, single request): GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+- Cookie: CGISESSID=<LIBRARIAN_SESSION> The response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...). The vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.

Published

Date2026-06-13

Updated

Date2026-06-13

RISK INFORMATION (Score: 7.6)

cvss2

Base Score: 7.5

Complexity: LOW

AV:N/AC:L/Au:S/C:C/I:N/A:P

cvss3

Base Score: 7.6

Complexity: LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

cvss4

Base Score: 5.6

Complexity: LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:C/RE:X/U:Amber

Impact Score

4.7

Exploitability

2.8

REFERENCES

CVE-2026-5513

SUMMARY

The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires 'Remember personal information in cookies' setting to be enabled (disabled by default).

Published

Date2026-06-13

Updated

Date2026-06-13

RISK INFORMATION (Score: 7.2)

cvss3

Base Score: 7.2

Complexity: LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Impact Score

2.7

Exploitability

3.9

REFERENCES

Loading…

API

Access Data Using Our API

Get company history

curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?
linkedin_id=axa' -H 'apikey: YOUR_API_KEY_HERE'

Try It API Documentation Rapid

MEASURE

What Do We Measure ?

Incident

Finding

Grade

Digital Assets

Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.

These are some of the factors we use to calculate the overall score:

Network SecurityIdentify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.

SBOM (Software Bill of Materials)Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.

CMDB (Configuration Management Database)Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.

Threat IntelligenceLeverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.

Rankiteo

By Rankiteo

★ ★ ★ ★ ★

View on G2.com

Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.

View latest plans →View all security reports →

MILESTONEG

Users
Love Us

Loading…