8.8

CVE-2026-40370

Medienbericht

SQL Server Remote Code Execution Vulnerability

External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerMicrosoft
Produkt Microsoft SQL Server 2016 Service Pack 3 (GDR)
Version 13.0.0
Version < 13.0.6490.1
Status affected
HerstellerMicrosoft
Produkt Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack
Version 13.0.0
Version < 13.0.7085.1
Status affected
HerstellerMicrosoft
Produkt Microsoft SQL Server 2017 (CU 31)
Version 14.0.0
Version < 14.0.3530.2
Status affected
HerstellerMicrosoft
Produkt Microsoft SQL Server 2017 (GDR)
Version 14.0.0
Version < 14.0.2110.2
Status affected
HerstellerMicrosoft
Produkt Microsoft SQL Server 2019 (CU 32)
Version 15.0.0.0
Version < 15.0.4470.1
Status affected
HerstellerMicrosoft
Produkt Microsoft SQL Server 2019 (GDR)
Version 15.0.0
Version < 15.0.2170.1
Status affected
HerstellerMicrosoft
Produkt Microsoft SQL Server 2022 (GDR)
Version 16.0.0
Version < 16.0.1180.1
Status affected
HerstellerMicrosoft
Produkt Microsoft SQL Server 2022 for x64-based Systems (CU 24)
Version 16.0.0.0
Version < 16.0.4252.3
Status affected
HerstellerMicrosoft
Produkt Microsoft SQL Server 2025 (CU 4)
Version 17.0.4040.1
Version < 17.0.4040.1
Status affected
HerstellerMicrosoft
Produkt Microsoft SQL Server 2025 for x64-based Systems (GDR)
Version 17.0.1050.2
Version < 17.0.1115.1
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.56% 0.418
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secure@microsoft.com 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
12.05.2026 20:20
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40370