216.73.216.6

CVE-2026-49261

· Published 11/06/2026 20:16 · Modified 11/06/2026 20:56 · Author: The MITRE Corporation

Labels: CVE-2026-49261 2026-06-11CVE-2026-49261CWE-78[email protected]

Essential information

Published
11/06/2026 20:16
Modified
11/06/2026 20:56
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
9.8 CRITICAL (v3.1)
CISA KEV
No
CWE
CWE-78
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
mariadb / mariadb cpe:2.3:a:mariadb:mariadb:10.6.1-10.6.26:*:*:*:*:*:*:*
mariadb / mariadb cpe:2.3:a:mariadb:mariadb:10.11.1-10.11.17:*:*:*:*:*:*:*
mariadb / mariadb cpe:2.3:a:mariadb:mariadb:11.4.1-11.4.11:*:*:*:*:*:*:*
mariadb / mariadb cpe:2.3:a:mariadb:mariadb:11.8.1-11.8.7:*:*:*:*:*:*:*
mariadb / mariadb cpe:2.3:a:mariadb:mariadb:12.3.1:*:*:*:*:*:*:*
mariadb / mariadb cpe:2.3:a:mariadb:mariadb:10.6.27:*:*:*:*:*:*:*
mariadb / mariadb cpe:2.3:a:mariadb:mariadb:10.11.18:*:*:*:*:*:*:*
mariadb / mariadb cpe:2.3:a:mariadb:mariadb:11.4.12:*:*:*:*:*:*:*
mariadb / mariadb cpe:2.3:a:mariadb:mariadb:11.8.8:*:*:*:*:*:*:*
mariadb / mariadb cpe:2.3:a:mariadb:mariadb:12.3.2:*:*:*:*:*:*:*

References