Cyber Resilience

CVE-2026-42167

High

Published: 28 April 2026

Published
28 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0500 91.2th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-42167 is a high-severity SQL Injection (CWE-89) vulnerability in Proftpd (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

mod_sql in ProFTPD versions before 1.3.9a is vulnerable to SQL injection that permits remote code execution. The flaw is triggered when USER command logging is configured with an expansion such as %U and the SQL backend permits execution of commands such as COPY TO PROGRAM, allowing an attacker-supplied username to be interpreted as SQL.

Remote attackers without authentication can exploit the issue by sending a crafted username during FTP authentication. Successful exploitation grants arbitrary code execution on the server when the logging and backend conditions are present, corresponding to the CVSS 8.1 rating that reflects high impact across confidentiality, integrity, and availability.

Advisories and patches referenced in the ProFTPD 1.3.10rc1 release notes, the project issue tracker, and oss-security postings indicate that the defect is resolved by upgrading to version 1.3.9a or later; operators are advised to review mod_sql logging configurations and restrict SQL backend privileges as interim controls.

EPSS rose from a low baseline to a peak of 0.1239 on 2026-05-01 before receding to the current value of 0.0699, indicating increased exploitation interest shortly after disclosure. Public proof-of-concept code and detailed analysis have also been published.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote, unauthenticated arbitrary code execution via SQL injection in a public-facing ProFTPD server, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

Proftpd
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch (upgrade to 1.3.9a+) that eliminates the mod_sql username injection flaw.

prevent

Enforces least-privilege restrictions on the SQL backend so that commands such as COPY TO PROGRAM cannot be executed even if a crafted username reaches the database.

prevent

Requires secure configuration of mod_sql logging (removal of %U expansion) so that untrusted usernames are never written into executable SQL statements.

References