MariaDB: mysql_real_escape_string() incorrectly handled big5
CVE-2026-44172

6.9MEDIUM

Key Information:

Vendor: Mariadb
Status: Server
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-44172?

MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.

Affected Version(s)

server = 3.3.18 = 3.3.18

server = 3.4.8 = 3.4.8

References

https://github.com/MariaDB/server/security/advisories/GHS...

x_refsource_CONFIRM

https://jira.mariadb.org/browse/CONC-819

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44172 Data

JSON

Mariadb

What is CVE-2026-44172?

Affected Version(s)

References

CVSS V4

Timeline