MariaDB MariaDB Open source fork of MySQL database

  1. Vendors
  2. MariaDB

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any MariaDB product.

RSS Feeds for MariaDB security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in MariaDB products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by MariaDB Sorted by Most Security Vulnerabilities since 2018

MariaDB366 vulnerabilities
Open source RDBMS forked from MySQL

MariaDB Connectorc1 vulnerability

MariaDB Maxscale1 vulnerability

By the Year

In 2026 there have been 1 vulnerability in MariaDB with an average score of 8.6 out of ten. Last year, in 2025 MariaDB had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in MariaDB in 2026 could surpass last years number.




Year Vulnerabilities Average Score
2026 1 8.60
2025 2 0.00
2024 3 0.00
2023 4 6.35
2022 60 6.83
2021 15 5.43
2020 16 5.69
2019 16 5.73
2018 40 5.58

It may take a day or so for new MariaDB vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent MariaDB Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-32710 Mar 20, 2026
MariaDB Server RCE via JSON_SCHEMA_VALID Crash (v11.4 11.8) MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code execution. These conditions require tight control over memory layout which is generally only attainable in a lab environment. This issue is fixed in MariaDB 11.4.10, MariaDB 11.8.6, and MariaDB 12.2.2.
CVE-2025-13699 Dec 23, 2025
MariaDB mariadb-dump Directory Traversal RCE via View Name Validation MariaDB mariadb-dump Utility Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MariaDB. Interaction with the mariadb-dump utility is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of view names. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27000.
MariaDB
CVE-2023-52971 Mar 08, 2025
MariaDB Server 10.10-11.4 Crash in JOIN::fix_all_splittings_in_plan MariaDB Server 10.10 through 10.11.* and 11.0 through 11.4.* crashes in JOIN::fix_all_splittings_in_plan.
MariaDB
CVE-2023-39593 Oct 17, 2024
MariaDB 10.5 sys_exec Permission Error Enables Privileged Cmd Exec Insecure permissions in the sys_exec function of MariaDB v10.5 allows authenticated attackers to execute arbitrary commands with elevated privileges. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
MariaDB
CVE-2024-27766 Oct 17, 2024
Remote Code Execution via lib_mysqludf_sys in MariaDB 11.1 An issue in MariaDB v.11.1 allows a remote attacker to execute arbitrary code via the lib_mysqludf_sys.so function. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
MariaDB
CVE-2023-26785 Oct 17, 2024
MariaDB 10.5 Remote Code Execution via UDF Shared Object File MariaDB v10.5 was discovered to contain a remote code execution (RCE) vulnerability via UDF Code in a Shared Object File, followed by a "create function" statement. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
MariaDB
CVE-2023-22084 Oct 17, 2023
Oracle MySQL InnoDB DoS via Crash (8.0.34, 5.7.43) Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
MariaDB
CVE-2023-5157 Sep 27, 2023
MariaDB DoS via OpenVAS port scan 3306/4567 A vulnerability was found in MariaDB. An OpenVAS port scan on ports 3306 and 4567 allows a malicious remote client to cause a denial of service.
MariaDB
CVE-2023-40354 Aug 14, 2023
MariaDB MaxScale Password stored in cleartext before 23.02.3 An issue was discovered in MariaDB MaxScale before 23.02.3. A user enters an encrypted password on a "maxctrl create service" command line, but this password is then stored in cleartext in the resulting .cnf file under /var/lib/maxscale/maxscale.cnf.d. The fixed versions are 2.5.28, 6.4.9, 22.08.8, and 23.02.3.
Maxscale
CVE-2022-47015 Jan 20, 2023
MariaDB Server <=10.9.3: Null Pointer DS in spider_db_mbase MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.
MariaDB
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.