Home / Vulnerability Intelligence / CVE-2026-42167

CVE-2026-42167 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 28, 2026

ProFTPD - Remote Code Execution

Published: April 28, 2026Updated: April 28, 2026PoC AvailableRemote Exploitable

Overview

ProFTPD mod_sql before 1.3.10rc1 contains a remote code execution caused by unsafe username handling with SQL backend commands in USER request logging expansions, letting remote attackers execute arbitrary code, exploit requires SQL backend allowing commands.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Remote attackers can execute arbitrary code on the server, potentially leading to full system compromise.

Mitigation

Upgrade to version 1.3.10rc1 or later.

References

https://github.com/proftpd/proftpd/issues/2052
https://zeropath.com/blog/proftpd-cve-2026-42167-auth-bypass-privesc-rce
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.10rc1
https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-42167
Severity: High
CVSS Score: 8.1
Type: command_injection
Status: new

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H