CVE-2026-42167 PUBLISHED

Assigner: mitre
Reserved: 24.04.2026 Published: 28.04.2026 Updated: 28.04.2026

mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	ProFTPD
Product	ProFTPD
Versions	Default: unaffected affected from 1.3.7b to 1.3.10rc1 (excl.)

References

http://www.proftpd.org/docs/RELEASE_NOTES-1.3.10rc1
https://github.com/proftpd/proftpd/issues/2052
https://zeropath.com/blog/proftpd-cve-2026-42167-auth-bypass-privesc-rce
https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE