8.8
CVE-2026-40370
- EPSS 0.56%
- Veröffentlicht 12.05.2026 16:59:21
- Zuletzt bearbeitet 13.05.2026 15:34:52
- Quelle secure@microsoft.com
- CVE-Watchlists
- Unerledigt
SQL Server Remote Code Execution Vulnerability
External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerMicrosoft
≫
Produkt
Microsoft SQL Server 2016 Service Pack 3 (GDR)
Version
13.0.0
Version <
13.0.6490.1
Status
affected
HerstellerMicrosoft
≫
Produkt
Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack
Version
13.0.0
Version <
13.0.7085.1
Status
affected
HerstellerMicrosoft
≫
Produkt
Microsoft SQL Server 2017 (CU 31)
Version
14.0.0
Version <
14.0.3530.2
Status
affected
HerstellerMicrosoft
≫
Produkt
Microsoft SQL Server 2017 (GDR)
Version
14.0.0
Version <
14.0.2110.2
Status
affected
HerstellerMicrosoft
≫
Produkt
Microsoft SQL Server 2019 (CU 32)
Version
15.0.0.0
Version <
15.0.4470.1
Status
affected
HerstellerMicrosoft
≫
Produkt
Microsoft SQL Server 2019 (GDR)
Version
15.0.0
Version <
15.0.2170.1
Status
affected
HerstellerMicrosoft
≫
Produkt
Microsoft SQL Server 2022 (GDR)
Version
16.0.0
Version <
16.0.1180.1
Status
affected
HerstellerMicrosoft
≫
Produkt
Microsoft SQL Server 2022 for x64-based Systems (CU 24)
Version
16.0.0.0
Version <
16.0.4252.3
Status
affected
HerstellerMicrosoft
≫
Produkt
Microsoft SQL Server 2025 (CU 4)
Version
17.0.4040.1
Version <
17.0.4040.1
Status
affected
HerstellerMicrosoft
≫
Produkt
Microsoft SQL Server 2025 for x64-based Systems (GDR)
Version
17.0.1050.2
Version <
17.0.1115.1
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.56% | 0.418 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secure@microsoft.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-73 External Control of File Name or Path
The product allows user input to control or influence paths or file names that are used in filesystem operations.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40370