Mysql Shell
Monthly
Unauthorized data disclosure in Oracle MySQL Shell's VS Code extension component (version 2026.2.0+9.6.1) allows a low-privileged network attacker to gain complete read access to all data accessible through MySQL Shell. The vulnerability, tagged as Authentication Bypass by ENISA intelligence (EUVD-2026-37364), exploits insufficient authorization controls within the Shell for VS Code component, granting data-tier access without requiring user interaction or elevated privileges beyond an initial low-level credential. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Takeover of Oracle MySQL Shell is possible against the Shell for VS Code component in version 2026.2.0+9.6.1, where a low-privileged remote attacker can compromise the Shell with a scope-changing impact on additional products. The 8.5 CVSS score reflects full confidentiality, integrity, and availability impact, though high attack complexity tempers practical exploitability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthorized access to critical data is achievable in Oracle MySQL Shell's Dump and Load component, affecting versions 8.4.0-8.4.9 and 9.0.0-9.7.0. An unauthenticated network attacker can exploit this across multiple protocols, but requires a victim user to interact - likely by connecting to or loading a dump from a malicious source. The attack yields complete read access to all MySQL Shell-accessible data with no integrity or availability side effects. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.
Privilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowing a low-privileged remote attacker with HTTP network access to fully compromise the Shell with confidentiality, integrity, and availability impact. Because the CVSS vector indicates a scope change (S:C), successful exploitation propagates impact beyond the Shell itself into adjacent components the extension connects to, such as MySQL servers managed through the VS Code workflow. No public exploit identified at time of analysis, but the 9.9 base score and 'easily exploitable' wording from Oracle warrant urgent remediation.
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: General/Core Client). Rated low severity (CVSS 2.5), this vulnerability is no authentication required.
Unauthorized data disclosure in Oracle MySQL Shell's VS Code extension component (version 2026.2.0+9.6.1) allows a low-privileged network attacker to gain complete read access to all data accessible through MySQL Shell. The vulnerability, tagged as Authentication Bypass by ENISA intelligence (EUVD-2026-37364), exploits insufficient authorization controls within the Shell for VS Code component, granting data-tier access without requiring user interaction or elevated privileges beyond an initial low-level credential. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Takeover of Oracle MySQL Shell is possible against the Shell for VS Code component in version 2026.2.0+9.6.1, where a low-privileged remote attacker can compromise the Shell with a scope-changing impact on additional products. The 8.5 CVSS score reflects full confidentiality, integrity, and availability impact, though high attack complexity tempers practical exploitability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthorized access to critical data is achievable in Oracle MySQL Shell's Dump and Load component, affecting versions 8.4.0-8.4.9 and 9.0.0-9.7.0. An unauthenticated network attacker can exploit this across multiple protocols, but requires a victim user to interact - likely by connecting to or loading a dump from a malicious source. The attack yields complete read access to all MySQL Shell-accessible data with no integrity or availability side effects. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.
Privilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowing a low-privileged remote attacker with HTTP network access to fully compromise the Shell with confidentiality, integrity, and availability impact. Because the CVSS vector indicates a scope change (S:C), successful exploitation propagates impact beyond the Shell itself into adjacent components the extension connects to, such as MySQL servers managed through the VS Code workflow. No public exploit identified at time of analysis, but the 9.9 base score and 'easily exploitable' wording from Oracle warrant urgent remediation.
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: General/Core Client). Rated low severity (CVSS 2.5), this vulnerability is no authentication required.