CVE-2026-44171
6.3 MEDIUMMariaDB server is a community developed fork of MySQL server
Published: 2026-06-12 · Last updated: 2026-06-16
Severity and scoring
- CVSS
- 6.3 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
- CWE
- CWE-22
Affected products
| Vendor | Product |
|---|---|
| mariadb | mariadb |
Description
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, mbstream did not check for /../ in the path when unpacking the archive. A proper backup can never contain such paths, but a specially crafted archive could have caused mbstream to create files outside of the target-dir path. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-48165 — MariaDB server is a community developed fork of MySQL server (8.0 HIGH)
- CVE-2026-48163 — MariaDB server is a community developed fork of MySQL server (8.0 HIGH)
- CVE-2026-44173 — MariaDB server is a community developed fork of MySQL server (5.0 MEDIUM)
- CVE-2026-44172 — MariaDB server is a community developed fork of MySQL server (9.8 CRITICAL)
- CVE-2026-44170 — MariaDB server is a community developed fork of MySQL server (9.8 CRITICAL)
Same CWE
- CVE-2026-48777 — FileBrowser Quantum is a free, self-hosted, web-based file manager
- CVE-2026-8442 — The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)
- CVE-2026-49766 — Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
- CVE-2026-49061 — Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
- CVE-2026-40779 — Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)