CVE-2026-44172
Public on 2026-06-09
Modified on 2026-06-09
Description
An application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | mariadb | Not Affected | ||
| Amazon Linux 2 - Lamp-mariadb10.2-php7.2 Extra | mariadb | No Fix Planned | ||
| Amazon Linux 2 - Mariadb10.5 Extra | mariadb | No Fix Planned | ||
| Amazon Linux 2023 | mariadb-connector-c | 2026-06-22 | ALAS2023-2026-1873 | Fixed |
| Amazon Linux 2023 | mariadb1011 | 2026-06-22 | ALAS2023-2026-1844 | Fixed |
| Amazon Linux 2023 | mariadb105 | No Fix Planned | ||
| Amazon Linux 2023 | mariadb114 | 2026-06-22 | ALAS2023-2026-1845 | Fixed |
| Amazon Linux 2023 | mariadb118 | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| NVD | CVSSv3 | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |