CVE Catalog

CVE-2026-48773

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile — higher than 28% of all known CVEs

Summary

ProxySQL, a proxy for MySQL and PostgreSQL, has a pre-authentication heap memory corruption vulnerability in versions 2.0.18 through 3.0.8. A remote unauthenticated client can declare an oversized first packet length, potentially leading to exploitation of this vulnerability.

Risk Assessment

This vulnerability may allow attackers to remotely execute code or destabilize the ProxySQL server, potentially causing serious disruptions to applications relying on the database.

Recommendation

It is recommended to upgrade ProxySQL to version 3.0.9 or later to mitigate this security issue.

Original NVD description (English source)

ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in the MySQL and PostgreSQL protocol first-read paths. A remote unauthenticated client can declare an oversized first packet length, and ProxySQL passes that attacker-controlled length directly to `recv()` while writing into a fixed 32 KB input queue. Version 3.0.9 patches the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS