MariaDB <=10.6.26/10.11.17/11.4.11/11.8.7/12.3.2 REST Shell Cmd Injection
CVE-2026-44170 Published on June 12, 2026
MariaDB: Argument injection in CONNECT REST Xcurl on Windows via unsanitized URL
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-44170 has been classified to as a Shell injection vulnerability or weakness.
Affected Versions
MariaDB server:- Version >= 10.6.1, < 10.6.26 is affected.
- Version >= 10.11.1, < 10.11.17 is affected.
- Version >= 11.4.1, < 11.4.11 is affected.
- Version >= 11.8.1, < 11.8.7 is affected.
- Version >= 12.3.1, < 12.3.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.