Description
mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).
Published: 2026-04-28
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates from the mod_sql component of ProFTPD versions older than 1.3.10rc1. An attacker can supply a specially crafted username in the FTP USER command. When the server logs USER requests using an expansion such as %U, the username value is passed directly to the SQL backend. If that backend accepts SQL commands such as COPY TO PROGRAM, the malicious input triggers execution of arbitrary shell commands on the server. This is a classic SQL injection (CWE‑89) that leads to remote code execution and can compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

Vendor and product: ProFTPD, ProFTPD. The vulnerability exists in all releases prior to 1.3.10rc1. Users running the mod_sql module with any SQL backend that permits external command execution and with logging configured to expand the username field are exposed.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity risk. No EPSS score is available, so the current exploration probability is unknown; however, the exploit requires specific configuration conditions (mod_sql enabled, %U logging, and a permissive SQL backend). The vulnerability is not listed in CISA’s KEV catalog, but its remote nature and the straightforward input vector make it an attractive target for attackers. If the conditions are met, an attacker can execute arbitrary commands on the host without needing additional privileges.

Generated by OpenCVE AI on April 29, 2026 at 01:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ProFTPD to version 1.3.10rc1 or later so that the mod_sql flaw is removed.
  • If an upgrade is not immediately possible, disable the mod_sql module or remove it from the configuration to eliminate the code path that processes the username input.
  • Reconfigure logging so that USER requests are not expanded with %U, or if logging must include the username, sanitize the value before it reaches the SQL backend.
  • Restrict the SQL backend to disallow commands such as COPY TO PROGRAM, ensuring that user input cannot trigger external command execution.

Generated by OpenCVE AI on April 29, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Title ProFTPD mod_sql Remote Code Execution via Username Injection

Tue, 28 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).
First Time appeared Proftpd
Proftpd proftpd
Weaknesses CWE-89
CPEs cpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:*
Vendors & Products Proftpd
Proftpd proftpd
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Proftpd Proftpd
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-28T22:09:41.090Z

Reserved: 2026-04-24T00:00:00.000Z

Link: CVE-2026-42167

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T23:16:20.610

Modified: 2026-04-28T23:16:20.610

Link: CVE-2026-42167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:45:25Z

Weaknesses