Percona Open source database vendor, MongoDB, MySQL, PostgreSQL or MariaDB
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Percona product.
RSS Feeds for Percona security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Percona products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Percona Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Percona. Percona did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 1 | 7.50 |
| 2023 | 2 | 8.80 |
| 2022 | 2 | 7.00 |
| 2021 | 2 | 8.10 |
| 2020 | 4 | 9.80 |
| 2019 | 1 | 0.00 |
It may take a day or so for new Percona vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Percona Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2024-7701 | Dec 15, 2024 |
Percona Toolkit: Insufficient Computational Effort in Password Hashing Leading to Encryption Brute FUse of Password Hash With Insufficient Computational Effort vulnerability in percona percona-toolkit allows Encryption Brute Forcing.This issue affects percona-toolkit: 3.6.0. |
Toolkit
|
| CVE-2022-25834 | Jun 07, 2023 |
Percona XtraBackup <=2.2.24/3.x<8.0.27-19: Filename-Path Exploit Remote CMDIn Percona XtraBackup (PXB) through 2.2.24 and 3.x through 8.0.27-19, a crafted filename on the local file system could trigger unexpected command shell execution of arbitrary commands. |
Xtrabackup
|
| CVE-2023-34409 | Jun 06, 2023 |
PMM 2.x (2.37.1) Path Trvsl in auth_server.go Unauth Remote POST EscalationIn Percona Monitoring and Management (PMM) server 2.x before 2.37.1, the authenticate function in auth_server.go does not properly formalize and sanitize URL paths to reject path traversal attempts. This allows an unauthenticated remote user, when a crafted POST request is made against unauthenticated API routes, to access otherwise protected API routes leading to escalation of privileges and information disclosure. |
Monitoring And Management
|
| CVE-2022-34968 | Aug 03, 2022 |
Percona Server for MySQL 8.0.28-19 DoS via fetch_step SQL queryAn issue in the fetch_step function in Percona Server for MySQL v8.0.28-19 allows attackers to cause a Denial of Service (DoS) via a SQL query. |
Percona Server
|
| CVE-2022-26944 | Jun 02, 2022 |
Percona XtraBackup 2.4.20 unintentionally writes the command line to any resulting backup file outputPercona XtraBackup 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. NOTE: this issue exists because of an incomplete fix for CVE-2020-10997. |
Xtrabackup
|
| CVE-2020-15180 | May 27, 2021 |
A flaw was found in the mysql-wsrep component of mariadbA flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6. |
Xtradb Cluster
|
| CVE-2021-27928 | Mar 19, 2021 |
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product. |
Percona Server
|
| CVE-2020-26542 | Nov 09, 2020 |
An issue was discovered in the MongoDB Simple LDAP plugin through 2020-10-02 for Percona Server when using the SimpleLDAP authentication in conjunction with Microsofts Active Directory, Percona has discovered a flawAn issue was discovered in the MongoDB Simple LDAP plugin through 2020-10-02 for Percona Server when using the SimpleLDAP authentication in conjunction with Microsofts Active Directory, Percona has discovered a flaw that would allow authentication to complete when passing a blank value for the account password, leading to access against the service integrated with which Active Directory is deployed at the level granted to the authenticating account. |
Percona Server
|
| CVE-2020-10996 | Apr 27, 2020 |
An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41.2An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41.2. A bundled script inadvertently sets a static transition_key for SST processes in place of the random key expected. |
Xtradb Cluster
|
| CVE-2020-10997 | Apr 27, 2020 |
Percona XtraBackup before 2.4.20 unintentionally writes the command line to any resulting backup file outputPercona XtraBackup before 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. |
Xtrabackup
|
| CVE-2020-7920 | Feb 06, 2020 |
pmm-server in Percona Monitoring and Management (PMM) 2.2.x before 2.2.1pmm-server in Percona Monitoring and Management (PMM) 2.2.x before 2.2.1 allows unauthenticated denial of service. |
Monitoring And Management
|
| CVE-2019-12301 | May 23, 2019 |
The Percona Server 5.6.44-85.0-1 packages for Debian and Ubuntu suffered an issue where the serverThe Percona Server 5.6.44-85.0-1 packages for Debian and Ubuntu suffered an issue where the server would reset the root password to a blank value upon an upgrade. This was fixed in 5.6.44-85.0-2. |
Percona Server
|
| CVE-2016-6664 | Dec 13, 2016 |
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based loggingmysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files. |
Percona Server
Xtradb Cluster
|
| CVE-2016-6662 | Sep 20, 2016 |
Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15. |
Percona Server
|