CVE-2026-40342 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: April 17, 2026
Firebird - Command Injection
Published: April 17, 2026Updated: April 17, 2026Remote Exploitable
Overview
Firebird < 5.0.4, 4.0.7, and 3.0.14 contains a command injection caused by unsafe concatenation of user-supplied engine name in external engine plugin loader, letting authenticated users with CREATE FUNCTION privileges execute arbitrary code via path traversal.
Severity & Score
Severity: Critical
CVSS Score: 9.9
Impact
Authenticated users with CREATE FUNCTION privileges can execute arbitrary code as the server OS account, leading to full system compromise.
Mitigation
Update to versions 5.0.4, 4.0.7, or 3.0.14 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-40342
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- command_injection
- Status
- new
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H