Vulnerability Details CVE-2026-40370
External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 38.9%
CVSS Severity
CVSS v3 Score 8.8
Products affected by CVE-2026-40370
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.6300.2
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.6441.1
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.6445.1
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.6455.2
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.6460.7
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.6465.1
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.6470.1
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.6475.1
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.7000.253
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.7037.1
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.7040.1
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.7050.2
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.7055.9
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.7060.1
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.7065.1
-
cpe:2.3:a:microsoft:sql_server_2016:13.0.7070.1
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.1000.169
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.2027.2
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.2037.2
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.2042.3
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.2052.1
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.2056.2
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.2060.1
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.2070.1
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.2075.8
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.2080.1
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.2085.1
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.2095.1
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.3006.16
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.3008.27
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.3015.40
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.3471.2
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.3475.1
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.3485.1
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.3495.9
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.3500.1
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.3505.1
-
cpe:2.3:a:microsoft:sql_server_2017:14.0.3515.1
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.2000.5
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.2101.7
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.2104.1
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.2110.4
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.2116.2
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.2120.1
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.2130.3
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.2135.5
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.2140.1
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.2145.1
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.2155.2
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4003.23
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4013.40
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4023.6
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4033.1
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4298.1
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4312.2
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4316.3
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4322.2
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4326.1
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4335.1
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4345.5
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4355.3
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4360.2
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4365.2
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4375.4
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4382.1
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4385.2
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4390.2
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4410.1
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4435.7
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4440.1
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4445.1
-
cpe:2.3:a:microsoft:sql_server_2019:15.0.4455.2
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.1000.6
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.1050.5
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.1105.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.1110.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.1115.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.1121.4
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.1125.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.1130.5
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.1135.2
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.1140.6
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.1145.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.1150.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.1160.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4003.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4015.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4025.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4035.4
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4045.3
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4055.4
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4065.3
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4075.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4080.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4085.2
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4095.4
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4100.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4105.2
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4115.5
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4120.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4125.3
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4131.2
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4135.4
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4140.3
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4150.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4155.4
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4175.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4200.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4210.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4212.1
-
cpe:2.3:a:microsoft:sql_server_2022:16.0.4222.2
-
cpe:2.3:a:microsoft:sql_server_2025:*