What is the CVSS score of CVE-2026-44171?

CVE-2026-44171 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of MariaDB Server are affected by CVE-2026-44171?

MariaDB Server across all supported versions is vulnerable to a local path traversal weakness enabling attackers to escape directory boundaries and access sensitive database files-threatening data…. A patch is available.

How to fix or mitigate CVE-2026-44171?

Within 24 hours: identify and document all MariaDB Server instances in production and development environments, recording their current versions. Within 7 days: apply vendor-released patches from the affected versions (10.6.26, 10.11.17, 11.4.11, 11.8.7, or 12.3.2) according to your deployment branch during scheduled maintenance windows. Within 30 days: verify patch deployment across all instances and implement filesystem access controls restricting database file and directory access to authorized processes only.

MariaDB Server CVE-2026-44171

EUVD-2026-36516 HIGH

Path Traversal (CWE-22)

N/A vendor:alpine

Path Traversal MariaDB

7.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.8 HIGH

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

vuln.today AI

7.3 HIGH

Local attack vector and required user interaction match the description; assessed PR:L because triggering a MariaDB server path handler realistically requires an authenticated database session, not anonymous access.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

4.0 AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Jun 16, 2026 - 19:58 vuln.today

v3 (cvss_changed)

Analysis Updated

Jun 16, 2026 - 19:58 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 16, 2026 - 19:52 vuln.today

cvss_changed

Severity Changed

Jun 16, 2026 - 19:52 NVD

MEDIUM HIGH

CVSS changed

Jun 16, 2026 - 19:52 NVD

6.3 (MEDIUM) 7.8 (HIGH)

Patch available

Jun 12, 2026 - 19:01 EUVD

CVSS changed

Jun 12, 2026 - 18:22 NVD

6.3 (MEDIUM)

Analysis Generated

May 27, 2026 - 23:12 vuln.today

DescriptionNVD

Alpine Linux: mariadb fixed in 11.8.7-r0

AnalysisAI

Path traversal in MariaDB Server (CVE-2026-44171) allows a local attacker to escape intended directory boundaries via user-interaction-driven file handling, with full confidentiality, integrity, and availability impact (CVSS 7.8). Multiple stable branches are affected, with fixes shipped in 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2; Alpine Linux has packaged the fix as mariadb 11.8.7-r0. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Stage malicious path-traversal payload locally

Delivery

Induce local user to process input

Exploit

Trigger vulnerable path handler in mariadbd

Execution

Escape data directory boundary

Persist

Read or overwrite arbitrary files

Impact

Compromise database confidentiality, integrity, availability

Access

Stage malicious path-traversal payload locally

Delivery

Induce local user to process input

Exploit

Trigger vulnerable path handler in mariadbd

Execution

Escape data directory boundary

Persist

Read or overwrite arbitrary files

Impact

Compromise database confidentiality, integrity, availability

Vulnerability AssessmentAI

Exploitation	Per the CVSS vector AV:L/AC:L/PR:N/UI:R, the attacker must deliver crafted input that is processed locally on the MariaDB Server host, and a local user must perform an action (UI:R) - for example loading a supplied file, importing a dump, or running a script that passes attacker-controlled path data to the vulnerable MariaDB code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Severity signals are mixed: the CVSS 3.1 base score of 7.8 is driven by high C/I/A impact (AV:L/AC:L/PR:N/UI:R), but EPSS sits at 0.01% (2nd percentile), the CVE is not on CISA KEV, and no public PoC was identified, so real-world exploitation pressure is currently low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker supplies crafted input containing directory-traversal sequences (for example via a filename argument processed by the server during an import, log, or file-handling operation) and induces a local user or DBA to execute the action that consumes it. The vulnerable path-handling code then reads from or writes to a location outside the intended directory, yielding disclosure, tampering, or denial of service. …
Remediation	Vendor-released patches are available - upgrade MariaDB Server to 10.6.26, 10.11.17, 11.4.11, 11.8.7, or 12.3.2 depending on which branch you run, per the EUVD record and the upstream advisory at https://github.com/MariaDB/server/security/advisories/GHSA-9pjh-5hhw-65v9 and bug https://jira.mariadb.org/browse/MDEV-39408. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify and document all MariaDB Server instances in production and development environments, recording their current versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-44171 vulnerability details – vuln.today

Back

MariaDB Server CVE-2026-44171

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code