CRITICAL 9.8

PYSEC-2026-217

Details

MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / mariadb

Introduced in: 0

No fixed version published yet for mariadb (pip). Pin to a known-safe version or switch to an alternative.

References

https://github.com/MariaDB/server/security/advisories/GHSA-pv9p-5w55-55jm [ADVISORY]
https://jira.mariadb.org/browse/CONC-819 [ADVISORY]