CVE-2026-44331

Published: May 5, 2026

Modified: May 6, 2026

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

Vendor	Product	Versions
ProFTPD	ProFTPD	affected `0 - <= 1.3.9a`

Weaknesses (CWE)

CWE-89

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/proftpd/proftpd/issues/2057

https://github.com/proftpd/proftpd/commit/766622456440fbca33abd7927c523673a11d1ed1

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-44331

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References