CVE-2026-48773
Undergoing Analysis
Undergoing Analysis - In Progress
Heap Memory Corruption in ProxySQL
Vulnerability report for CVE-2026-48773, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-19
Last updated on: 2026-06-22
Assigner: GitHub, Inc.
Description
Description
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in the MySQL and PostgreSQL protocol first-read paths. A remote unauthenticated client can declare an oversized first packet length, and ProxySQL passes that attacker-controlled length directly to `recv()` while writing into a fixed 32 KB input queue. Version 3.0.9 patches the issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sysown | proxysql | From 2.0.18 (inc) to 3.0.8 (inc) |
| sysown | proxysql | 3.0.9 |
| sysown | proxysql | 3.1.9 |
| sysown | proxysql | 4.0.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |