PatchSiren cyber security CVE debrief
CVE-2026-42167 ProFTPD CVE debrief
CVE-2026-42167 is a remote code execution vulnerability in ProFTPD's mod_sql module. The vulnerability allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands. The affected product is ProFTPD versions before 1.3.9a. The vulnerability has a high severity and requires immediate attention from administrators and users.
- Vendor
- ProFTPD
- Product
- Unknown
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-28
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-04-28
- Advisory updated
- 2026-07-08
Who should care
Administrators and users of ProFTPD versions before 1.3.9a should be aware of this vulnerability and take necessary actions to mitigate the risk. This includes updating ProFTPD to version 1.3.9a or later, restricting access to the mod_sql module, monitoring logs for suspicious activity, and implementing additional security measures such as Web Application Firewalls.
Technical summary
The vulnerability exists in the mod_sql module of ProFTPD before version 1.3.9a. It allows remote attackers to execute arbitrary code by providing a specially crafted username that is logged with an expansion like %U. The SQL backend must also allow commands, such as COPY TO PROGRAM, for the exploit to work. The vulnerability has a CVSS score of 8.1 and is classified as HIGH severity. Affected product deployments should be confirmed in managed environments, and owners should be assigned for follow-up. Official advisories or CVE records should be reviewed to validate affected scope, severity, and vendor guidance. Vendor-supported updates or mitigations should be planned through normal change control where exposure is confirmed. Compensating controls for exposed systems should be reviewed while remediation is scheduled and verified. Relevant monitoring, detection, and logs for exposed assets should be checked, requiring extra review. Exceptions should be tracked, remediated assets retested, and items closed only after evidence is documented.
Defensive priority
High
Recommended defensive actions
- Update ProFTPD to version 1.3.9a or later
- Restrict access to the mod_sql module
- Monitor logs for suspicious activity
- Implement additional security measures such as Web Application Firewalls
- Conduct regular vulnerability assessments and penetration testing
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-04-28T23:16:20.610Z and was last modified on 2026-07-08T03:26:55.713Z. The NVD entry is currently Analyzed. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The SQL backend must allow commands, such as COPY TO PROGRAM, for the exploit to work. Evidence is limited, and further verification is required.
Official resources
-
CVE-2026-42167 CVE record
CVE.org
-
CVE-2026-42167 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Patch
-
Source reference
[email protected] - Mailing List
-
Mitigation or vendor reference
[email protected] - Exploit, Press/Media Coverage, Third Party Advisory
-
Source reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List
-
Source reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-28T23:16:20.610Z and has not been modified since then. The NVD entry is currently Analyzed.