CVE-2026-40342

CRITICAL 10.0

Firebird: Path Traversal + Arbitrary File Write Leads to Remote Code Execution

CVSS Score

10.0

EPSS Score

0.0%

EPSS Percentile

0th

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

CWE	CWE-22 CWE-427 CWE-73 CWE-94
Vendor	firebirdsql
Product	firebird
Published	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for firebirdsql firebird

Be the first to know when new critical vulnerabilities affecting firebirdsql firebird are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

FirebirdSQL / firebird

< 3.0.14 >= 4.0.0, < 4.0.7 >= 5.0.0, < 5.0.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-7pxc-h3rv-r257 github.com: https://github.com/FirebirdSQL/firebird/releases/tag/v3.0.14 github.com: https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.7 github.com: https://github.com/FirebirdSQL/firebird/releases/tag/v5.0.4