HIGH🇵🇱 Wersja polska

CVE-2026-44168

CVSS 8.0v3.1pub. 2026-06-12upd. 2026-07-02

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the mariabackup SST method. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
  • MariaDB

    APP
    Mariadb
    12.3.110.6.1 – 10.6.26 (bez)10.11.1 – 10.11.17 (bez)11.4.1 – 11.4.11 (bez)11.8.1 – 11.8.7 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2026-49261CRITICAL10.0PL ✓ten sam produkt

MariaDB: command injection przez wsrep_notify_cmd w nazwie węzła Galera

CVE-2023-26785CRITICAL9.8PL ✓ten sam produkt

MariaDB v10.5 — RCE przez UDF w plikach współdzielonych (disputed)

CVE-2020-15180CRITICAL9.0ten sam produkt

A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` all...

CVE-2016-9843CRITICAL9.8ten sam produkt

The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified im...

CVE-2016-6662CRITICAL9.8ten sam produkt

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x bef...