CVE-2026-44170
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk42th percentile — higher than 42% of all known CVEs
Summary
A vulnerability in MariaDB on Windows with the CONNECT engine and REST support enabled allows shell command injection due to improper sanitization of the HTTP table attribute in the curl command line. Affected versions range from 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1.
Risk Assessment
An attacker can remotely execute arbitrary system commands on the server, leading to full compromise of the Windows system, data theft, or service disruption.
Recommendation
Immediately upgrade MariaDB to version 10.6.26, 10.11.17, 11.4.11, 11.8.7, or 12.3.2. If upgrade is not possible, disable the CONNECT engine or REST support.
Original NVD description (English source)
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

