CVE-2026-40370
published 2026-05-12CVE-2026-40370: External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_sql_server_2016_service_pack_3 | >= 13.0.0 < 13.0.6490.1 | 13.0.6490.1 |
| microsoft | microsoft_sql_server_2016_service_pack_3_azure_connect_feature_pack | >= 13.0.0 < 13.0.7085.1 | 13.0.7085.1 |
| microsoft | microsoft_sql_server_2017 | >= 14.0.0 < 14.0.3530.2 | 14.0.3530.2 |
| microsoft | microsoft_sql_server_2017 | >= 14.0.0 < 14.0.2110.2 | 14.0.2110.2 |
| microsoft | microsoft_sql_server_2019 | >= 15.0.0 < 15.0.2170.1 | 15.0.2170.1 |
| microsoft | microsoft_sql_server_2019 | >= 15.0.0.0 < 15.0.4470.1 | 15.0.4470.1 |
| microsoft | microsoft_sql_server_2022 | >= 16.0.0 < 16.0.1180.1 | 16.0.1180.1 |
| microsoft | microsoft_sql_server_2022_for_x64-based_systems | >= 16.0.0.0 < 16.0.4252.3 | 16.0.4252.3 |
| microsoft | microsoft_sql_server_2025 | >= 17.0.4040.1 < 17.0.4040.1 | 17.0.4040.1 |
| microsoft | microsoft_sql_server_2025_for_x64-based_systems | >= 17.0.1050.2 < 17.0.1115.1 | 17.0.1115.1 |