CVE-2026-42167

Name of the Vulnerable Software and Affected Versions ProFTPD versions prior to 1.3.10rc1

Description A flaw in the mod sql module allows unauthenticated remote attackers to bypass authentication and execute arbitrary code. The issue stems from a lack of protection for SQL query structures, specifically when logging USER requests using expansions such as %U. If the SQL backend supports command execution (for example, COPY TO PROGRAM), an attacker can use a crafted username to break SQL strings and execute OS-level commands. Over 162,000 internet-facing instances are estimated to be at risk.

Recommendations Update to version 1.3.10rc1.