CVE-2026-44170
Modified
Modified - Updated After Analysis
MariaDB Windows CONNECT Engine REST Command Injection
Vulnerability report for CVE-2026-44170, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-12
Last updated on: 2026-07-02
Assigner: GitHub, Inc.
Description
Description
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mariadb | mariadb | 12.3.1 |
| mariadb | mariadb | From 10.11.1 (inc) to 10.11.17 (exc) |
| mariadb | mariadb | From 10.6.1 (inc) to 10.6.26 (exc) |
| mariadb | mariadb | From 11.4.1 (inc) to 11.4.11 (exc) |
| mariadb | mariadb | From 11.8.1 (inc) to 11.8.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |