SQL injection in Netatalk - CVE-2026-44047
Published: July 12, 2026
Netatalk
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in libatalk/cnid/mysql/cnid_mysql.c when processing AFP filenames in MySQL CNID backend queries. A remote user can create or access files with specially crafted names to execute arbitrary SQL commands.
Only servers compiled with the non-default MySQL CNID backend are vulnerable.