CVE-2026-44331
Published: 05 May 2026
Summary
CVE-2026-44331 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-44331 is a SQL injection vulnerability in ProFTPD versions through 1.3.9a before commit 7666224, specifically affecting the sqltab_fetch_clients_cb() function in contrib/mod_wrap2_sql.c. The flaw arises when the "UseReverseDNS on" configuration is enabled, allowing an attacker-supplied hostname from a reverse DNS lookup to be passed unescaped into SQL queries. This enables injection of arbitrary SQL commands via a crafted domain name, though DNS name character restrictions may limit exploitability. The vulnerability is rated 8.1 on the CVSS 3.1 scale (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-89.
A remote attacker with no privileges can exploit this vulnerability by controlling the hostname returned during a reverse DNS lookup for an incoming connection. Successful exploitation grants high confidentiality, integrity, and availability impacts through arbitrary SQL command execution against the backend database used by mod_wrap2_sql, potentially leading to data exfiltration, modification, or server compromise. The high attack complexity stems from the need to craft a domain name that evades DNS restrictions while forming valid malicious SQL.
Mitigation is addressed in the ProFTPD GitHub repository via commit 766622456440fbca33abd7927c523673a11d1ed1, which resolves the issue in versions prior to its application. Security practitioners should update ProFTPD to include this commit or later, or disable the UseReverseDNS option in configurations employing mod_wrap2_sql. Further details are available in the associated GitHub issue at https://github.com/proftpd/proftpd/issues/2057.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27484
Vulnerability details
In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is…
more
enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing ProFTPD FTP server (mod_wrap2_sql) directly enables remote exploitation of a network-accessible application without authentication.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of untrusted inputs like attacker-supplied reverse DNS hostnames before insertion into SQL queries, directly preventing SQL injection in mod_wrap2_sql.
Mandates timely identification, reporting, and patching of known flaws like CVE-2026-44331 via flaw remediation processes.
Enforces secure configuration settings such as disabling UseReverseDNS in ProFTPD to block the vulnerable reverse DNS lookup path.