CVE-2026-40342

EUVD-2026-23496
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
Affected Products (NVD)
VendorProductVersion
firebirdsqlfirebird
𝑥
< 3.0.14
firebirdsqlfirebird
4.0.0 ≤
𝑥
< 4.0.7
firebirdsqlfirebird
5.0.0 ≤
𝑥
< 5.0.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
firebird3.0
bookworm
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
3.0.14.ds7-1
fixed
sid
3.0.14.ds7-1
fixed
trixie
vulnerable
firebird4.0
forky
4.0.7.3271.ds6-1
fixed
sid
4.0.7.3271.ds6-1
fixed
trixie
vulnerable
trixie (security)
vulnerable
Common Weakness Enumeration
References
https://github.com/FirebirdSQL/firebird/releases/tag/v3.0.14
https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.7
https://github.com/FirebirdSQL/firebird/releases/tag/v5.0.4
https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-7pxc-h3rv-r257