{"id":"PYSEC-2026-217","details":"MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.","aliases":["BIT-mariadb-2026-44172","BIT-mariadb-min-2026-44172","BIT-mysql-client-2026-44172","CVE-2026-44172","GHSA-pv9p-5w55-55jm"],"modified":"2026-06-17T19:41:04.348078429Z","published":"2026-06-12T18:16:34.123Z","references":[{"type":"ADVISORY","url":"https://github.com/MariaDB/server/security/advisories/GHSA-pv9p-5w55-55jm"},{"type":"ADVISORY","url":"https://jira.mariadb.org/browse/CONC-819"}],"affected":[{"package":{"name":"mariadb","ecosystem":"PyPI","purl":"pkg:pypi/mariadb"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"3.3.18"},{"last_affected":"3.4.8"}]}],"versions":["0.9.52","0.9.53","0.9.54","0.9.55","0.9.56","0.9.57","0.9.58","0.9.59","1.0.0","1.0.1","1.0.10","1.0.11","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1.0a1","1.1.0b1","1.1.0b2","1.1.0rc1","1.1.10","1.1.11","1.1.12","1.1.13","1.1.14","1.1.2","1.1.3","1.1.4","1.1.5","1.1.5.post1","1.1.5.post2","1.1.5.post3","1.1.6","1.1.7","1.1.8","1.1.9","2.0.0rc1","2.0.0rc2"],"ecosystem_specific":{},"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/mariadb/PYSEC-2026-217.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}