CVE-2026-42167 | THREATINT

Description

mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).

PUBLISHED Reserved 2026-04-24 | Published 2026-04-28 | Updated 2026-04-29 | Assigner mitre

HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unaffected

1.3.7b (custom) before 1.3.10rc1

affected

References

github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc exploit

www.proftpd.org/docs/RELEASE_NOTES-1.3.10rc1

github.com/proftpd/proftpd/issues/2052

zeropath.com/...oftpd-cve-2026-42167-auth-bypass-privesc-rce

github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc

cve.org (CVE-2026-42167)

nvd.nist.gov (CVE-2026-42167)

Download JSON