CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-46860

unknowncovered by 1 sourcefirst seen 2026-06-17
Oracle has fixed vulnerabilities in Oracle MySQL Shell for VS Code, MySQL Router, MySQL NDB Cluster, and MySQL Server. The vulnerabilities are present in various Oracle MySQL products and versions. In MySQL Shell for VS Code (version 2026.2.0+9.6.1), attackers with low privileges and network access via HTTP or user-interactive network access can gain full control over the MySQL Shell or unauthorized access to critical data. In MySQL Router (versions 8.4.0 to 8.4.9 and 9.0.0 to 9.7.0), unauthenticated attackers can achieve full device takeover or cause a denial-of-service by crashing or hanging the system via HTTP or TLS. MySQL NDB Cluster (versions 8.0.11 to 8.0.46, 8.4.0 to 8.4.9, and 9.0.0 to 9.7.0) contains a vulnerability that allows an attacker with low privileges and network access via HTTP to create, delete, or modify unauthorized critical data. MySQL Server and MySQL Cluster contain a vulnerability that allows an unauthenticated network attacker to cause a denial-of-service by crashing or hanging the server. The vulnerabilities have various CVSS 3.1 base scores ranging from 6.5 to 9.9, depending on the product and the nature of the vulnerability.

CSIRTS triage

What
Vulnerabilities in various MySQL products could allow attackers to gain unauthorized access or cause denial-of-service.
Who is affected
Users of Oracle MySQL products with network access.
Urgency
Remediation is critical due to the potential for unauthorized access and system disruption.
Action
Users should apply the updates provided by Oracle.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-46860

Get an email if CVE-2026-46860 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-46860

CVE.org record

Embed the live status

CVE-2026-46860 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-46860 status](https://www.csirts.com/badge/CVE-2026-46860)](https://www.csirts.com/cve/CVE-2026-46860)