Malicious code vulnerability with maximum rating threatens Firebird

Admins of Firebird instances should install the available security patches promptly for security reasons. If this is not done, attackers can trigger crashes or even fully compromise systems after executing malicious code. So far, there are no reports that attackers are already exploiting the vulnerabilities.

Malicious code attacks possible

As can be seen from the security section of the project's GitHub website, the developers have closed a total of nine security vulnerabilities. One of them is considered "critical" and is rated with the maximum CVSS score of 10 out of 10 ( CVE-2026-40342). The platforms Linux, macOS, and Windows are affected. However, for attackers to exploit the vulnerability, they must have access to the following command:

At this point, CREATE FUNCTION ... ENGINE "<name>" is not sufficiently hardened, and attackers can use it to load a library outside the plug-in folder (path traversal attack). This should not actually be possible. Because Firebird does not sufficiently verify the initialization code, attackers can thus execute malicious code. Due to the rating, it can be assumed that attackers will subsequently gain full control over computers.

The remaining software vulnerabilities are rated with the threat level "high". DoS and other malicious code attacks are possible at these points (e.g. CVE-2026-28224, CVE-2026-33337).

Security updates available

The developers assure that the vulnerabilities have been closed in **versions 3.0.14, 4.0.7, 5.0.4, and 6.0**. Admins can check which versions are specifically affected in the warning messages linked on the GitHub page.

(des)