CVE-2026-44172
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
A vulnerability in MariaDB server (a MySQL fork) versions 3.3.18 and 3.4.8 allows SQL injection attacks even when using mysql_real_escape_string() with the big5 character set. The issue is fixed in versions 3.3.19 and 3.4.9.
Risk Assessment
Organizations using vulnerable MariaDB versions with the big5 character set and processing unsanitized input via mysql_real_escape_string() are at risk of SQL injection, potentially leading to data leakage or modification.
Recommendation
Immediately upgrade MariaDB server to version 3.3.19 or 3.4.9. Until patched, avoid using the big5 character set with mysql_real_escape_string().
Original NVD description (English source)
MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.

