Cyber Resilience

CVE-2026-44331

High

Published: 05 May 2026

Published
05 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0046 36.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-44331 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-44331 is a SQL injection vulnerability in ProFTPD versions through 1.3.9a before commit 7666224, specifically affecting the sqltab_fetch_clients_cb() function in contrib/mod_wrap2_sql.c. The flaw arises when the "UseReverseDNS on" configuration is enabled, allowing an attacker-supplied hostname from a reverse DNS lookup to be passed unescaped into SQL queries. This enables injection of arbitrary SQL commands via a crafted domain name, though DNS name character restrictions may limit exploitability. The vulnerability is rated 8.1 on the CVSS 3.1 scale (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-89.

A remote attacker with no privileges can exploit this vulnerability by controlling the hostname returned during a reverse DNS lookup for an incoming connection. Successful exploitation grants high confidentiality, integrity, and availability impacts through arbitrary SQL command execution against the backend database used by mod_wrap2_sql, potentially leading to data exfiltration, modification, or server compromise. The high attack complexity stems from the need to craft a domain name that evades DNS restrictions while forming valid malicious SQL.

Mitigation is addressed in the ProFTPD GitHub repository via commit 766622456440fbca33abd7927c523673a11d1ed1, which resolves the issue in versions prior to its application. Security practitioners should update ProFTPD to include this commit or later, or disable the UseReverseDNS option in configurations employing mod_wrap2_sql. Further details are available in the associated GitHub issue at https://github.com/proftpd/proftpd/issues/2057.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is…

more

enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing ProFTPD FTP server (mod_wrap2_sql) directly enables remote exploitation of a network-accessible application without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of untrusted inputs like attacker-supplied reverse DNS hostnames before insertion into SQL queries, directly preventing SQL injection in mod_wrap2_sql.

prevent

Mandates timely identification, reporting, and patching of known flaws like CVE-2026-44331 via flaw remediation processes.

prevent

Enforces secure configuration settings such as disabling UseReverseDNS in ProFTPD to block the vulnerable reverse DNS lookup path.

References