Users of the open-source MySQL database could be at risk from remote attacks from a bug in phpMyAdmin, the web-based MySQL administration tool.
The phpMyAdmin project warned of a bug in the way the tool's MIME-based transformation system handles "external" transformations.
Attackers could exploit the hole to execute arbitrary commands on a web server with the privileges of the server's user, the project said.
A patch fix is available on the phpMyAdmin site.
The vulnerability can only be exploited on systems where PHP's safe mode is turned off. Danish security firm Secunia said the flaw is serious, giving it a "highly critical" ranking.
The new flaw is the most serious to have been uncovered in phpMyAdmin to date; previous bugs, including some allowing configuration manipulation, code injection and cross site scripting, have been only moderately dangerous, according to security researchers.
PhpMyAdmin has become the de facto standard for controlling MySQL databases over a web-based interface, though it faces numerous competitors. Like MySQL it is distributed under an open-source licence.
MySQL has gained ground in the database market, particularly in small to medium-sized businesses, industry analysts say. Enterprises are also beginning to eye the product as an alternative to Oracle.
Matthew Broersma writes for Techworld