CVE-2026-42167
Published: 28 April 2026
Summary
CVE-2026-42167 is a high-severity SQL Injection (CWE-89) vulnerability in Proftpd (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
mod_sql in ProFTPD versions before 1.3.9a is vulnerable to SQL injection that permits remote code execution. The flaw is triggered when USER command logging is configured with an expansion such as %U and the SQL backend permits execution of commands such as COPY TO PROGRAM, allowing an attacker-supplied username to be interpreted as SQL.
Remote attackers without authentication can exploit the issue by sending a crafted username during FTP authentication. Successful exploitation grants arbitrary code execution on the server when the logging and backend conditions are present, corresponding to the CVSS 8.1 rating that reflects high impact across confidentiality, integrity, and availability.
Advisories and patches referenced in the ProFTPD 1.3.10rc1 release notes, the project issue tracker, and oss-security postings indicate that the defect is resolved by upgrading to version 1.3.9a or later; operators are advised to review mod_sql logging configurations and restrict SQL backend privileges as interim controls.
EPSS rose from a low baseline to a peak of 0.1239 on 2026-05-01 before receding to the current value of 0.0699, indicating increased exploitation interest shortly after disclosure. Public proof-of-concept code and detailed analysis have also been published.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26157
Vulnerability details
mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote, unauthenticated arbitrary code execution via SQL injection in a public-facing ProFTPD server, directly mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch (upgrade to 1.3.9a+) that eliminates the mod_sql username injection flaw.
Enforces least-privilege restrictions on the SQL backend so that commands such as COPY TO PROGRAM cannot be executed even if a crafted username reaches the database.
Requires secure configuration of mod_sql logging (removal of %U expansion) so that untrusted usernames are never written into executable SQL statements.