CVE-2026-42167: mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where

Description

mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).

Affected Products

Vendor	Product	Versions
proftpd	proftpd	1.3.7b

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	proftpd	cert_advisory	90%

References

Related News (2 articles)

Tier B

BSI Advisories7h ago

[NEU] [hoch] ProFTPD: Schwachstelle ermöglicht SQL-Injection

→ No new info (linked only)

Tier C

VulDB13h ago

CVE-2026-42167 | ProFTPD up to 1.3.9 mod_sql User Remote Code Execution (ID 2052)

→ No new info (linked only)

CVSS 3.18.1 HIGH

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.3.10rc1

CWECWE-89

PublishedApr 28, 2026

Last enriched12h agov2

Trending Score69

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

Version History

Last enriched 12h ago

v2Tier C12h ago

Updated affected versions to include 1.3.9, changed severity to CRITICAL, and noted that there is no exploit available.

affectedVersionsseverityactivelyExploited

via VulDB

v118h ago

Initial creation