MariaDB Open source fork of MySQL database
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any MariaDB product.
RSS Feeds for MariaDB security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in MariaDB products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by MariaDB Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 11 vulnerabilities in MariaDB with an average score of 8.0 out of ten. Last year, in 2025 MariaDB had 2 security vulnerabilities published. That is, 9 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 11 | 8.00 |
| 2025 | 2 | 0.00 |
| 2024 | 3 | 0.00 |
| 2023 | 4 | 6.35 |
| 2022 | 60 | 6.83 |
| 2021 | 15 | 5.43 |
| 2020 | 16 | 5.69 |
| 2019 | 16 | 5.73 |
| 2018 | 40 | 5.58 |
It may take a day or so for new MariaDB vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent MariaDB Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-48165 | Jun 12, 2026 |
MariaDB CVE-2026-48165: wsrep_sst exec 10.6.x,10.11.x,11.4.x,11.8.x,12.3.1MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-privileged MariaDB user could've used wsrep_sst_receive_address or wsrep_sst_donor global system variables to execute shell commands as the uid of the mariadbd process on the galera joiner node. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. |
|
| CVE-2026-48163 | Jun 12, 2026 |
Mariadb SST Shell Exec via rsync before 10.6.27,10.11.18,11.4.12,11.8.8,12.3.2MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the rsync SST method. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. |
|
| CVE-2026-44173 | Jun 12, 2026 |
MariaDB 10.x-12.3.1 PrivEsc: SELECT...INTO OUTFILE w/o FILE privilegeMariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. |
|
| CVE-2026-44172 | Jun 12, 2026 |
MariaDB Server SQLi via text protocol & BIG5 (v3.3.18/3.4.8) before 3.3.19MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9. |
|
| CVE-2026-44171 | Jun 12, 2026 |
MariaDB mbstream Path Traversal v10.6.110.6.26 / 10.11.110.11.17 patchMariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, mbstream did not check for /../ in the path when unpacking the archive. A proper backup can never contain such paths, but a specially crafted archive could have caused mbstream to create files outside of the target-dir path. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. |
|
| CVE-2026-44169 | Jun 12, 2026 |
MariaDB 11.4.x, 11.8.x, 12.3.x Stored Routine Definition Leak via Role EXECUTEMariaDB server is a community developed fork of MySQL server. From versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user getting EXECUTE access to a stored routine via a role, could see the routine definition even without SHOW CREATE ROUTINE privilege. This issue has been patched in versions 11.4.11, 11.8.7, and 12.3.2. |
|
| CVE-2026-44168 | Jun 12, 2026 |
MariaDB SST Shell Injection (10.6.x10.6.25, 10.11.x10.11.16, 11.4.x11.4.10, 11.8.x11.8.6, 12.3.1)MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the mariabackup SST method. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. |
|
| CVE-2026-44170 | Jun 12, 2026 |
MariaDB <=10.6.26/10.11.17/11.4.11/11.8.7/12.3.2 REST Shell Cmd InjectionMariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. |
|
| CVE-2026-49261 | Jun 11, 2026 |
MariaDB Server <10.6.27, <10.11.18 Exec via wsrep_notify_cmdMariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`. |
|
| CVE-2026-35549 | Apr 03, 2026 |
Large packet crash in MariaDB <11.4.10/11.8.6/12.2.2 cache_sha2 auth pluginAn issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca. |
|