CVE Catalog

CVE-2026-44172

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

34th percentile — higher than 34% of all known CVEs

Summary

A vulnerability in MariaDB server (a MySQL fork) versions 3.3.18 and 3.4.8 allows SQL injection attacks even when using mysql_real_escape_string() with the big5 character set. The issue is fixed in versions 3.3.19 and 3.4.9.

Risk Assessment

Organizations using vulnerable MariaDB versions with the big5 character set and processing unsanitized input via mysql_real_escape_string() are at risk of SQL injection, potentially leading to data leakage or modification.

Recommendation

Immediately upgrade MariaDB server to version 3.3.19 or 3.4.9. Until patched, avoid using the big5 character set with mysql_real_escape_string().

Original NVD description (English source)

MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS