Vulnerability-Lookup

Search criteria ⓘ Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

Full-Text Search

Vendor

Product

Assigner

Sources

Sort by

Order

Apply ordering (override relevance)

CVE-2026-44172 (GCVE-0-2026-44172)

Vulnerability from cvelistv5 – Published: 2026-06-12 17:34 – Updated: 2026-06-12 20:02

Title

MariaDB: mysql_real_escape_string() incorrectly handled big5

Summary

MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/MariaDB/server/security/adviso…	x_refsource_CONFIRM
https://jira.mariadb.org/browse/CONC-819	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
MariaDB	server	Affected: = 3.3.18 Affected: = 3.4.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44172",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-12T20:02:02.774991Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-12T20:02:12.617Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "server",
          "vendor": "MariaDB",
          "versions": [
            {
              "status": "affected",
              "version": "= 3.3.18"
            },
            {
              "status": "affected",
              "version": "= 3.4.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-12T17:34:04.487Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/MariaDB/server/security/advisories/GHSA-pv9p-5w55-55jm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/MariaDB/server/security/advisories/GHSA-pv9p-5w55-55jm"
        },
        {
          "name": "https://jira.mariadb.org/browse/CONC-819",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.mariadb.org/browse/CONC-819"
        }
      ],
      "source": {
        "advisory": "GHSA-pv9p-5w55-55jm",
        "discovery": "UNKNOWN"
      },
      "title": "MariaDB: mysql_real_escape_string() incorrectly handled big5"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44172",
    "datePublished": "2026-06-12T17:34:04.487Z",
    "dateReserved": "2026-05-05T14:39:34.923Z",
    "dateUpdated": "2026-06-12T20:02:12.617Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

PYSEC-2026-217

Vulnerability from pysec - Published: 2026-06-12 18:16 - Updated: 2026-06-17 18:17

Details

MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.

Severity

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impacted products

Name	purl
mariadb	pkg:pypi/mariadb

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "ecosystem_specific": {},
      "package": {
        "ecosystem": "PyPI",
        "name": "mariadb",
        "purl": "pkg:pypi/mariadb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.3.18"
            },
            {
              "last_affected": "3.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.9.52",
        "0.9.53",
        "0.9.54",
        "0.9.55",
        "0.9.56",
        "0.9.57",
        "0.9.58",
        "0.9.59",
        "1.0.0",
        "1.0.1",
        "1.0.10",
        "1.0.11",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.0.8",
        "1.0.9",
        "1.1.0a1",
        "1.1.0b1",
        "1.1.0b2",
        "1.1.0rc1",
        "1.1.10",
        "1.1.11",
        "1.1.12",
        "1.1.13",
        "1.1.14",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.1.5",
        "1.1.5.post1",
        "1.1.5.post2",
        "1.1.5.post3",
        "1.1.6",
        "1.1.7",
        "1.1.8",
        "1.1.9",
        "2.0.0rc1",
        "2.0.0rc2"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44172",
    "GHSA-pv9p-5w55-55jm"
  ],
  "details": "MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.",
  "id": "PYSEC-2026-217",
  "modified": "2026-06-17T18:17:26.527028Z",
  "published": "2026-06-12T18:16:34.123Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/MariaDB/server/security/advisories/GHSA-pv9p-5w55-55jm"
    },
    {
      "type": "ADVISORY",
      "url": "https://jira.mariadb.org/browse/CONC-819"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Find a vulnerability

Search criteria ⓘ Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

Related vulnerabilities

CVE-2026-44172 (GCVE-0-2026-44172)

PYSEC-2026-217

Find a vulnerability

Search criteria ⓘ Use this form to refine search results. Full-text search supports keyword queries with ranking and filtering. You can combine vendor, product, and sources to narrow results. Enable “Apply ordering” to sort by date instead of relevance.

Related vulnerabilities

CVE-2026-44172 (GCVE-0-2026-44172)

PYSEC-2026-217

Search criteria ⓘ Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.