Skip to main content

ProxySQL CVE-2026-48773

| EUVDEUVD-2026-38073 CRITICAL
Out-of-bounds Write (CWE-787)
2026-06-19 GitHub_M
9.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Pre-authentication first-read path reached over the network with no user interaction (AV:N/AC:L/PR:N/UI:N); heap OOB write plausibly yields RCE, so C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 21:02 EUVD
Analysis Generated
Jun 19, 2026 - 20:16 vuln.today
CVE Published
Jun 19, 2026 - 19:27 cve.org
CRITICAL 9.8

DescriptionCVE.org

ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in the MySQL and PostgreSQL protocol first-read paths. A remote unauthenticated client can declare an oversized first packet length, and ProxySQL passes that attacker-controlled length directly to recv() while writing into a fixed 32 KB input queue. Version 3.0.9 patches the issue.

AnalysisAI

Pre-authentication heap memory corruption in ProxySQL 2.0.18 through 3.0.8 allows remote unauthenticated attackers to corrupt heap memory by sending a crafted first packet declaring an oversized length, which is passed directly to recv() into a fixed 32 KB input queue on both MySQL and PostgreSQL protocol listeners. The flaw carries a CVSS 9.8 rating and is fixed in 3.0.9; no public exploit identified at time of analysis, but the trivial trigger condition and out-of-bounds write primitive create strong potential for weaponization.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify exposed ProxySQL listener
Delivery
Open TCP connection to port 6033
Exploit
Send first packet with oversized length field
Install
Trigger out-of-bounds heap write via recv()
C2
Groom heap and hijack control flow
Execute
Execute code as ProxySQL process
Impact
Pivot to backend MySQL/PostgreSQL credentials

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of ProxySQL 2.0.18 through 3.0.8, requiring only TCP reachability to a client-facing listener (MySQL protocol port, default 6033, or any configured PostgreSQL listener); the vulnerability is in the pre-authentication first-read path so no credentials, prior session, or user interaction are needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a high-priority issue: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects remote, unauthenticated, low-complexity exploitation with full CIA impact, and the bug sits in the pre-authentication code path, so it is reachable on any exposed listener without credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a ProxySQL listener (for example, an exposed 6033/tcp port or a PostgreSQL frontend on an internal segment reached via SSRF or a compromised host) opens a TCP connection and sends a single crafted packet whose declared length field far exceeds 32 KB followed by attacker-chosen payload bytes. ProxySQL passes the oversized length to recv() and writes past the fixed input queue, corrupting adjacent heap structures; with careful heap grooming this is a plausible primitive for remote code execution as the ProxySQL process, otherwise reliably crashing the proxy and severing all backed database traffic. …
Remediation Vendor-released patch: ProxySQL 3.0.9 - upgrade all affected instances to 3.0.9 or later as the primary remediation, per https://github.com/sysown/proxysql/releases/tag/v3.0.9 and the advisory at https://github.com/sysown/proxysql/security/advisories/GHSA-58ww-865x-grpr. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running affected ProxySQL versions (2.0.18-3.0.8) and document their role in production database infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

CVE-2026-30860 CRITICAL POC
9.9 Mar 07

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database c

CVE-2021-47748 CRITICAL POC
9.8 Jan 21

Hasura GraphQL 1.3.3 has a remote code execution vulnerability allowing attackers to execute arbitrary shell commands th

CVE-2026-27005 CRITICAL POC
9.8 Mar 06

SQL injection in Chartbrew before 4.8.3. PoC available.

CVE-2025-53005 CRITICAL POC
9.8 Jul 01

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2025-53006 CRITICAL POC
9.8 Jul 02

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

Share

CVE-2026-48773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy