{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-42167", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T22:09:41.090Z", "dateReserved": "2026-04-24T00:00:00.000Z", "datePublished": "2026-04-28T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ProFTPD", "vendor": "ProFTPD", "versions": [{"lessThan": "1.3.10rc1", "status": "affected", "version": "1.3.7b", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T22:09:41.090Z"}, "references": [{"url": "http://www.proftpd.org/docs/RELEASE_NOTES-1.3.10rc1"}, {"url": "https://github.com/proftpd/proftpd/issues/2052"}, {"url": "https://zeropath.com/blog/proftpd-cve-2026-42167-auth-bypass-privesc-rce"}, {"url": "https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.3.7b", "versionEndExcluding": "1.3.10rc1"}]}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM)."}], "id": "CVE-2026-42167", "lastModified": "2026-04-28T23:16:20.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-28T23:16:20.610", "references": [{"source": "cve@mitre.org", "url": "http://www.proftpd.org/docs/RELEASE_NOTES-1.3.10rc1"}, {"source": "cve@mitre.org", "url": "https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc"}, {"source": "cve@mitre.org", "url": "https://github.com/proftpd/proftpd/issues/2052"}, {"source": "cve@mitre.org", "url": "https://zeropath.com/blog/proftpd-cve-2026-42167-auth-bypass-privesc-rce"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.3.7b,1.3.10rc1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "ProFTPD", "source": "cna", "vendor": "ProFTPD"}, "product": "proftpd", "vendor": "proftpd"}], "analysis": {"en": {"generated_at": "2026-04-29T01:31:14.746967+00:00", "value": {"mitigation_remediation": ["Upgrade ProFTPD to version\u202f1.3.10rc1 or later so that the mod_sql flaw is removed.", "If an upgrade is not immediately possible, disable the mod_sql module or remove it from the configuration to eliminate the code path that processes the username input.", "Reconfigure logging so that USER requests are not expanded with\u202f%U, or if logging must include the username, sanitize the value before it reaches the SQL backend.", "Restrict the SQL backend to disallow commands such as COPY\u202fTO\u202fPROGRAM, ensuring that user input cannot trigger external command execution."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Vendor and product: ProFTPD, ProFTPD. The vulnerability exists in all releases prior to\u202f1.3.10rc1. Users running the mod_sql module with any SQL backend that permits external command execution and with logging configured to expand the username field are exposed.", "description_and_impact": "The vulnerability originates from the mod_sql component of ProFTPD versions older than\u202f1.3.10rc1. An attacker can supply a specially crafted username in the FTP USER command. When the server logs USER requests using an expansion such as\u202f%U, the username value is passed directly to the SQL backend. If that backend accepts SQL commands such as COPY\u202fTO\u202fPROGRAM, the malicious input triggers execution of arbitrary shell commands on the server. This is a classic SQL injection (CWE\u201189) that leads to remote code execution and can compromise confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The CVSS score of\u202f8.1 indicates a high severity risk. No EPSS score is available, so the current exploration probability is unknown; however, the exploit requires specific configuration conditions (mod_sql enabled,\u202f%U logging, and a permissive SQL backend). The vulnerability is not listed in CISA\u2019s KEV catalog, but its remote nature and the straightforward input vector make it an attractive target for attackers. If the conditions are met, an attacker can execute arbitrary commands on the host without needing additional privileges."}}}}, "created": "2026-04-28T23:30:05.812612+00:00", "title": "ProFTPD mod_sql Remote Code Execution via Username Injection", "updated": "2026-04-29T01:45:25.994499+00:00", "vendors": ["proftpd", "proftpd$PRODUCT$proftpd"]}