Description
MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MariaDB server versions 3.3.18 and 3.4.8 incorrectly handled the big5 character set when escaping user input with mysql_real_escape_string(), permitting an attacker to inject malicious SQL. The flaw defeats the intended protection of the escape routine, allowing the attacker to read, modify, or delete data in the database, potentially compromising confidentiality and integrity of stored information. This vulnerability is categorized as a SQL injection flaw (CWE‑89).

Affected Systems

The issue affects MariaDB server 3.3.18 and 3.4.8. Affected applications are those that take untrusted input, use mysql_real_escape_string() for escaping, and send the data to the database over the text protocol with the big5 character set. The upgrade path is to 3.3.19 or 3.4.9, where the bug is fixed.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity and the EPSS score of less than 1% suggests a very low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying limited public exploitation. The likely attack vector involves an application layer interface where an attacker supplies crafted input that is not properly validated; the improper escaping can be exploited remotely through any component that delegates user input to the database using the text protocol with big5 encoding. The impact scope depends on the privileges of the database user called by the connection; if a privileged account is used, an attacker could gain full control of the database.

Generated by OpenCVE AI on June 12, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MariaDB to version 3.3.19 or 3.4.9, which contains the fix for this escape‐handling bug.
  • If an upgrade is not immediately feasible, disable or avoid the big5 character set on connections that use mysql_real_escape_string(); alternatively, remove or isolate any code paths that use this charset.
  • Ensure all applications that rely on mysql_real_escape_string() employ parameterized queries or modern prepared statement APIs, especially when handling non‑validated input, to eliminate the need for manual escaping.

Generated by OpenCVE AI on June 12, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mariadb
Mariadb server
Vendors & Products Mariadb
Mariadb server

Fri, 12 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.
Title MariaDB: mysql_real_escape_string() incorrectly handled big5
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mariadb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:02:12.617Z

Reserved: 2026-05-05T14:39:34.923Z

Link: CVE-2026-44172

cve-icon Vulnrichment

Updated: 2026-06-12T20:02:08.825Z

cve-icon NVD

Status : Received

Published: 2026-06-12T18:16:34.123

Modified: 2026-06-12T18:16:34.123

Link: CVE-2026-44172

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:45:27Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')