CVE-2026-3494

MEDIUM EPSS 19.1%
Published Mar 3, 20264mo ago · Modified Mar 16, 20263mo ago
5.3 CVSS 4.0
Medium
Find Similar
Published Mar 3, 2026 4mo ago
Last Modified Mar 16, 2026 3mo ago

Description

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.

CVSS Details

Base Score
5.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
19.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-778

Affected Products 15

VendorProductVersionRange
mariadbmariadb* ≤10.6.24
mariadbmariadb*≥10.7.0  –  ≤10.11.15
mariadbmariadb*≥11.0.0  –  ≤11.4.9
mariadbmariadb*≥11.5.0  –  ≤11.8.5
amazonaurora_mysql* ≤2.12.5
amazonaurora_mysql*≥3.01.0  –  ≤3.04.5
amazonaurora_mysql*≥3.05.1  –  ≤3.10.2
amazonaurora_mysql3.11.0any
amazonrelational_database_service* ≤5.7.44-rds.20251212
amazonrelational_database_service* ≤10.6.24
amazonrelational_database_service*≥8.0.11  –  ≤8.0.44
amazonrelational_database_service*≥8.4.3  –  ≤8.4.7
amazonrelational_database_service*≥10.11.4  –  ≤10.11.15
amazonrelational_database_service*≥11.4.3  –  ≤11.4.9
amazonrelational_database_service*≥11.8.3  –  ≤11.8.5

References 3

  • aws.amazon.com https://aws.amazon.com/security/security-bulletins/2026-006-AWS/
    Third Party Advisory
  • github.com https://github.com/MariaDB/server/commit/635559a2ad68a5a6d1a354e8209c58323dba0261
  • github.com https://github.com/aws/audit-plugin-for-mysql/commit/01e25a5cb1073f131eea774c06c8a056b1e4b2ff

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.