PatchSiren cyber security CVE debrief
CVE-2026-44172 MariaDB CVE debrief
A SQL injection vulnerability was discovered in MariaDB server versions 3.3.18 and 3.4.8. An application taking non-validated user input, escaping it with mysql_real_escape_string(), and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections. This issue was patched in versions 3.3.19 and 3.4.9.
- Vendor
- MariaDB
- Product
- server
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of MariaDB server versions 3.3.18 and 3.4.8 should update to patched versions 3.3.19 or 3.4.9 to prevent SQL injection attacks.
Technical summary
The vulnerability occurs when an application uses mysql_real_escape_string() to escape user input, which is then sent to the database using text protocol and big5 character set. This allows attackers to inject malicious SQL code despite the use of mysql_real_escape_string().
Defensive priority
MEDIUM
Recommended defensive actions
- Update MariaDB server to version 3.3.19 or 3.4.9
- Validate and sanitize user input before sending it to the database
- Use prepared statements with parameterized queries instead of text protocol
Evidence notes
The CVE-2026-44172 vulnerability was patched in MariaDB server versions 3.3.19 and 3.4.9. For more information, see [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-44172) and [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-44172).
Official resources
CVE-2026-44172 was published on 2026-06-12T18:16:34.123Z.