MySQL vulnerabilities: known CVEs & security history
Oracle · Database · 1328 tracked CVEs · 0 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all MySQL release lines — 1328 in total. A CVE here doesn't mean your version is affected — check MySQL's current status and the safe version to run.
Known MySQL CVEs
Actively-exploited and most-severe first. Showing the top 80 of 1328. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2020-11656 | critical | 9.8 | 7% | 2020 |
| CVE-2019-14540 | critical | 9.8 | 11% | 2019 |
| CVE-2016-9843 | critical | 9.8 | 6% | 2017 |
| CVE-2016-9841 | critical | 9.8 | 7% | 2017 |
| CVE-2016-6662 | critical | 9.8 | 68% | 2016 |
| CVE-2016-0639 | critical | 9.8 | 10% | 2016 |
| CVE-2016-0705 | critical | 9.8 | 26% | 2016 |
| CVE-2012-2750 | high | 10 | 4% | 2012 |
| CVE-2004-0836 | high | 10 | 10% | 2004 |
| CVE-2012-3163 | high | 9 | 5% | 2012 |
| CVE-2003-0780 | high | 9 | 75% | 2003 |
| CVE-2003-0150 | high | 9 | 45% | 2003 |
| CVE-2016-9842 | high | 8.8 | 5% | 2017 |
| CVE-2016-9840 | high | 8.8 | 5% | 2017 |
| CVE-2009-2446 | high | 8.5 | 11% | 2009 |
| CVE-2005-2572 | high | 8.5 | 5% | 2005 |
| CVE-2016-3477 | high | 8.1 | 0% | 2016 |
| CVE-2020-14878 | high | 8 | 1% | 2020 |
| CVE-2002-0969 | high | 7.8 | 1% | 2002 |
| CVE-2020-5258 | high | 7.7 | 4% | 2020 |
| CVE-2018-3155 | high | 7.7 | 4% | 2018 |
| CVE-2018-2755 | high | 7.7 | 1% | 2018 |
| CVE-2017-3309 | high | 7.7 | 3% | 2017 |
| CVE-2017-3308 | high | 7.7 | 3% | 2017 |
| CVE-2016-3440 | high | 7.7 | 3% | 2016 |
| CVE-2024-21272 | high | 7.5 | 1% | 2024 |
| CVE-2020-1967 | high | 7.5 | 53% | 2020 |
| CVE-2020-11655 | high | 7.5 | 5% | 2020 |
| CVE-2020-5398 | high | 7.5 | 88% | 2020 |
| CVE-2019-2822 | high | 7.5 | 3% | 2019 |
| CVE-2019-2632 | high | 7.5 | 4% | 2019 |
| CVE-2018-2696 | high | 7.5 | 5% | 2018 |
| CVE-2017-10155 | high | 7.5 | 4% | 2017 |
| CVE-2017-3599 | high | 7.5 | 90% | 2017 |
| CVE-2017-3450 | high | 7.5 | 4% | 2017 |
| CVE-2017-3329 | high | 7.5 | 4% | 2017 |
| CVE-2017-3302 | high | 7.5 | 5% | 2017 |
| CVE-2016-3471 | high | 7.5 | 0% | 2016 |
| CVE-2016-2105 | high | 7.5 | 40% | 2016 |
| CVE-2015-0411 | high | 7.5 | 10% | 2015 |
| CVE-2014-6500 | high | 7.5 | 6% | 2014 |
| CVE-2014-6491 | high | 7.5 | 6% | 2014 |
| CVE-2014-0001 | high | 7.5 | 6% | 2014 |
| CVE-2013-1492 | high | 7.5 | 3% | 2013 |
| CVE-2012-0553 | high | 7.5 | 3% | 2013 |
| CVE-2012-0882 | high | 7.5 | 5% | 2012 |
| CVE-2012-3158 | high | 7.5 | 5% | 2012 |
| CVE-2009-4484 | high | 7.5 | 70% | 2009 |
| CVE-2008-0226 | high | 7.5 | 92% | 2008 |
| CVE-2006-2753 | high | 7.5 | 3% | 2006 |
| CVE-2004-0835 | high | 7.5 | 22% | 2004 |
| CVE-2002-1809 | high | 7.5 | 16% | 2002 |
| CVE-2002-1921 | high | 7.5 | 3% | 2002 |
| CVE-2002-1923 | high | 7.5 | 3% | 2002 |
| CVE-2002-1374 | high | 7.5 | 20% | 2002 |
| CVE-2002-1375 | high | 7.5 | 24% | 2002 |
| CVE-2002-1376 | high | 7.5 | 7% | 2002 |
| CVE-2001-1453 | high | 7.5 | 11% | 2001 |
| CVE-2001-1454 | high | 7.5 | 10% | 2001 |
| CVE-2001-1274 | high | 7.5 | 5% | 2001 |
| CVE-2000-0148 | high | 7.5 | 5% | 2000 |
| CVE-2022-21600 | high | 7.2 | 1% | 2022 |
| CVE-2021-2144 | high | 7.2 | 2% | 2021 |
| CVE-2020-14828 | high | 7.2 | 2% | 2020 |
| CVE-2020-14697 | high | 7.2 | 2% | 2020 |
| CVE-2020-14678 | high | 7.2 | 2% | 2020 |
| CVE-2020-14663 | high | 7.2 | 2% | 2020 |
| CVE-2016-0546 | high | 7.2 | 1% | 2016 |
| CVE-2015-4819 | high | 7.2 | 0% | 2015 |
| CVE-2001-1275 | high | 7.2 | 1% | 2001 |
| CVE-2000-0981 | high | 7.2 | 2% | 2000 |
| CVE-2023-21980 | high | 7.1 | 1% | 2023 |
| CVE-2022-21351 | high | 7.1 | 1% | 2022 |
| CVE-2022-21278 | high | 7.1 | 1% | 2022 |
| CVE-2021-35610 | high | 7.1 | 2% | 2021 |
| CVE-2019-2800 | high | 7.1 | 2% | 2019 |
| CVE-2019-2534 | high | 7.1 | 2% | 2019 |
| CVE-2018-3064 | high | 7.1 | 3% | 2018 |
| CVE-2018-2562 | high | 7.1 | 3% | 2018 |
| CVE-2016-6664 | high | 7 | 3% | 2016 |
1248 older / lower-severity CVEs not shown — see MySQL's full record.
Is my MySQL version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your MySQL version → · Monitor MySQL for new CVEs →
MySQL vulnerabilities — frequently asked
How many known vulnerabilities does MySQL have?
IsItPatched tracks 1328 CVEs for MySQL. 7 are critical-severity and 75 high-severity. These span every release line — what matters is whether the version you run is affected.
Does MySQL have any actively-exploited vulnerabilities?
None of MySQL's tracked CVEs are currently in CISA's KEV catalog — but new ones can be added at any time, so keep your version current.
What is the most severe MySQL vulnerability?
Among tracked issues, CVE-2020-11656 (CRITICAL, CVSS 9.8) ranks highest — a Use-after-free weakness.
Is MySQL safe to use?
It depends on the version. The latest supported MySQL release (9.7.1) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: MySQL security status · MySQL end-of-life · actively-exploited CVEs. Always verify against Oracle's advisories — see our disclaimer.