Is CVE-2026-40342 actively exploited?

CVE-2026-40342 has no public evidence of in-the-wild exploitation as of 2026-04-20.

What is the CVSS score for CVE-2026-40342?

CVE-2026-40342 has a CVSS score of 9.9 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

How do I patch CVE-2026-40342?

Vendor patch guidance is linked from the references on this page. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-40342.

Which products are affected by CVE-2026-40342?

Affected products for CVE-2026-40342 are listed on this page once vendor data becomes available.

Fix CVE-2026-40342 - CRITICAL Vulnerability

Description

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: low
User Action: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-22 · Path Traversal CWE-73 CWE-94 · Code Injection CWE-427

Metadata

Primary Vendor: UNKNOWN
Published: 4/17/2026
Last Modified: 4/20/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2026-40342

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary