Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-5026 — SQL Injection in Mysql

CWE-89 — SQL Injection3 documents3 sources

Severity

6.8MEDIUMNVD

EPSS

3.2%

top 13.07%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Mysql Oracle Mysql

Timeline

PublishedAug 17

Latest updateMay 2

Description

The executable comment feature in MySQL 5.0.x before 5.0.93 and 5.1.x before 5.1.50, when running in certain slave configurations in which the slave is running a newer version than the master, allows remote attackers to execute arbitrary SQL commands via custom comments.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶NVDmysql/mysql21 versions+20

▶NVDoracle/mysql60 versions+59

🔴Vulnerability Details

GHSA

GHSA-rw88-9fhw-cqr5: The executable comment feature in MySQL 5↗2022-05-02

▶

💥Exploits & PoCs

Exploit-DB

Oracle MySQL < 5.1.50 - Privilege Escalation↗2010-08-03

▶