CVE-2026-44170
MariaDB: Argument injection in CONNECT REST Xcurl on Windows via unsanitized URL
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
12th
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
| CWE | CWE-78 |
| Vendor | mariadb |
| Product | server |
| Published | Jun 12, 2026 |
| Last Updated | Jun 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for mariadb server
Be the first to know when new unknown vulnerabilities affecting mariadb server are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
MariaDB / server
>= 10.6.1, < 10.6.26 >= 10.11.1, < 10.11.17 >= 11.4.1, < 11.4.11 >= 11.8.1, < 11.8.7 >= 12.3.1, < 12.3.2