CVE-2026-44331

Name of the Vulnerable Software and Affected Versions ProFTPD versions prior to 1.3.9a 7666224

Description A SQL injection issue exists in the sqltab fetch clients cb() function within contrib/mod wrap2 sql.c. When the "UseReverseDNS on" setting is enabled, a remote attacker can inject arbitrary SQL commands by using a crafted domain name during a reverse DNS lookup, as the hostname is passed into SQL queries without being escaped. The exploitability of this issue may be limited by the character restrictions inherent to DNS names.

Recommendations Update to version 1.3.9a 7666224 or later. Disable the "UseReverseDNS" setting to prevent the processing of reverse DNS lookups.