Skip to main content

MySQL CVE-2026-27965

CRITICAL
OS Command Injection (CWE-78)
2026-02-26 security-advisories@github.com GHSA-8g8j-r87h-p36x
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Mar 02, 2026 - 18:36 nvd
Patch available
CVE Published
Feb 26, 2026 - 02:16 nvd
CRITICAL 9.9

DescriptionGitHub Advisory

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment - allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. Some workarounds are available. Those who intended to use an external decompressor then can always specify that decompressor command in the --external-decompressor flag value for vttablet and vtbackup. That then overrides any value specified in the manifest file. Those who did not intend to use an external decompressor, nor an internal one, can specify a value such as cat or tee in the --external-decompressor flag value for vttablet and vtbackup to ensure that a harmless command is always used.

AnalysisAI

Command injection in Vitess MySQL clustering system before 23.0.3/22.0.4. Users with read/write access to the backup store can achieve code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain access to backup storage location
Delivery
Modify backup manifest files
Exploit
Inject malicious code into manifest
Execution
Restore backup in production
Impact
Execute arbitrary commands on database server

Vulnerability AssessmentAI

Exploitation Authenticated read/write access to backup storage location (e.g., S3 bucket) where Vitess backups are stored; backup restoration process must be triggered on target Vitess deployment using manipulated manifest files. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.9 with scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Attacker with backup store access injects commands through backup metadata, executing code on the Vitess control plane.
Remediation Update Vitess. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all backup storage locations and verify access controls are properly restricted. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in MySQL

View all
CVE-2026-24479 CRITICAL POC
9.8 Jan 27

HUSTOJ online judge has a path traversal vulnerability enabling arbitrary file access on the competition server.

CVE-2026-27005 CRITICAL POC
9.8 Mar 06

SQL injection in Chartbrew before 4.8.3. PoC available.

CVE-2026-26988 CRITICAL POC
9.1 Feb 20

SQL injection in LibreNMS 25.12.0 and below. PoC and patch available.

CVE-2026-23873 CRITICAL POC
9.0 Jan 22

HUSTOJ online judge system has a CSV injection vulnerability in all versions that allows code execution through crafted

CVE-2020-37116 HIGH POC
8.8 Feb 03

GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the

CVE-2026-26990 HIGH POC
8.8 Feb 20

SQL injection in LibreNMS versions 25.12.0 and below allows authenticated users to extract sensitive database informatio

CVE-2021-47761 HIGH POC
7.8 Jan 15

MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service ex

CVE-2021-47752 HIGH POC
7.5 Jan 15

Awebserver versions up to 18 is affected by allocation of resources without limits or throttling (CVSS 7.5).

CVE-2026-21856 HIGH POC
7.2 Jan 07

The Tarkov Data Manager is a tool to manage the Tarkov item data. [CVSS 7.2 HIGH]

CVE-2026-26987 MEDIUM POC
6.1 Feb 20

Reflected cross-site scripting in LibreNMS versions 25.12.0 and earlier allows unauthenticated remote attackers to injec

CVE-2026-26186 HIGH
8.8 Feb 26

SQL injection in Fleet device management software before version 4.80.1 allows authenticated users to manipulate the ord

CVE-2026-27969 HIGH
8.8 Feb 26

Path traversal in Vitess backup manifest handling allows authenticated attackers with access to backup storage to write

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-27965 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy