MySQL Hit By "Critical" Remote Code Execution 0-Day
Researchers have discovered multiple "severe" MySQL vulnerabilities with the CVE-2016-6662 being marked as critical and does affect the latest MySQL version.
This 0-day is open for both local and remote attackers and could come via authenticated access to a MySQL database (including web UI administration panels) or via SQL injection attacks. The exploit could allow attackers to execute arbitrary code with root privileges.
More details on this CVE via this mailing list post while exhaustive details are available via the report at LegalHackers.com.
Oracle has yet to release a fixed version of MySQL -- even though it was reported to them in July -- while MariaDB and others have acted.