CVE-2026-42167

HIGH EXPLOITED NUCLEI LAB

ProFTPD < 1.3.10rc1 - Remote Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

CVE-2026-42167 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 8 public exploits from researchers including adminlove520, XZ1r0, kaleth4. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2026-42167, a SQL injection vulnerability in ProFTPD's mod_sql logging pipeline. It includes multiple PoCs demonstrating pre-auth and post-auth exploitation paths, including backdoor user injection and remote code execution via PostgreSQL's COPY TO PROGRAM.

Description

mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).

Exploits (8)

github WORKING POC 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-42167

The repository contains functional exploit code for CVE-2026-42167, a SQL injection vulnerability in ProFTPD's mod_sql logging pipeline. It includes multiple PoCs demonstrating pre-auth and post-auth exploitation paths, including backdoor user injection and remote code execution via PostgreSQL's COPY TO PROGRAM.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD with mod_sql (PostgreSQL backend)
No auth needed
Prerequisites: ProFTPD with mod_sql configured to use SQLLog with vulnerable format strings · PostgreSQL backend with stacked query support
devstral-2 · analyzed May 18, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/network/proftpd-CVE-2026-42167-poc

The repository contains functional exploit code for CVE-2026-42167, demonstrating SQL injection via STOR filename in ProFTPD with PostgreSQL backend. It includes PoCs for backdoor user creation, RCE via COPY TO PROGRAM, and blind data exfiltration.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD with mod_sql_postgres
Auth required
Prerequisites: ProFTPD with mod_sql_postgres enabled · PostgreSQL backend · Specific SQLNamedQuery configuration using %{basename}
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WRITEUP
by kaleth4 · remote
https://github.com/kaleth4/CVE-2026-42167

This repository provides a detailed technical analysis of CVE-2026-42167, a SQL injection vulnerability in ProFTPD's mod_sql module, including root cause analysis, exploitation techniques, and mitigation strategies. It includes a comprehensive breakdown of the vulnerability's impact, affected versions, and proof-of-concept usage guidelines.

Classification
Writeup 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD < 1.3.9a
No auth needed
Prerequisites: ProFTPD with mod_sql enabled · SQL logging configured · Access to FTP server
devstral-2 · analyzed May 04, 2026 Full analysis →
github WORKING POC
by jimmexploit · goremote
https://github.com/jimmexploit/CVE-2026-42167-PoC

This repository contains a functional exploit for CVE-2026-42167, an SQL injection vulnerability in ProFTPD's mod_sql module. The exploit demonstrates both backdoor user injection and remote code execution via SQL injection through the USER command, bypassing authentication.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.9 and below
No auth needed
Prerequisites: ProFTPD with mod_sql enabled · Network access to the FTP server
devstral-2 · analyzed May 02, 2026 Full analysis →
github WORKING POC
by efeanilarslan · pythoninfoleak
https://github.com/efeanilarslan/CVE-2026-42167-Exploit

This repository contains a functional exploit for CVE-2026-42167, targeting a SQL injection vulnerability in ProFTPD's mod_sql module. The exploit leverages a logical flaw in the is_escaped_text() function to perform unauthenticated SQL injection and exfiltrate files using time-based attacks.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD with mod_sql module
No auth needed
Prerequisites: ProFTPD with mod_sql configured to log USER commands · PostgreSQL backend · Network access to the target FTP port
devstral-2 · analyzed May 02, 2026 Full analysis →
github WORKING POC
by Sl4cK0TH · pythonremote
https://github.com/Sl4cK0TH/CVE-2026-42167-PoC

This repository contains a functional exploit for CVE-2026-42167, demonstrating a pre-authentication RCE in ProFTPD via SQL injection in the mod_sql module. The exploit leverages PostgreSQL's COPY TO PROGRAM directive to exfiltrate file contents or establish a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD <= 1.3.9 with mod_sql + mod_sql_postgres
No auth needed
Prerequisites: ProFTPD <= 1.3.9 with mod_sql + mod_sql_postgres · SQLLog configured with %U (username) pre-auth variable · PostgreSQL DB role must be a superuser · bash available on the PostgreSQL host · Attacker host must be reachable from the PostgreSQL container
devstral-2 · analyzed May 01, 2026 Full analysis →
github WORKING POC
by dinosn · pythonpoc
https://github.com/dinosn/proftpd-CVE-2026-42167-analysis

This repository contains functional exploit code for CVE-2026-42167, a SQL injection vulnerability in ProFTPD's mod_sql module. The PoC demonstrates unauthenticated RCE and auth bypass via crafted USER and STOR commands, leveraging a flawed is_escaped_text() heuristic.

Classification
Working Poc 100%
Attack Type
Sqli | Rce | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD <= 1.3.9 with mod_sql
No auth needed
Prerequisites: ProFTPD with mod_sql enabled · SQLLog or SQLNamedQuery configured with attacker-controlled variables in single quotes
devstral-2 · analyzed Apr 29, 2026 Full analysis →
nomisec WORKING POC
by ZeroPathAI · remote
https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc

The repository contains functional exploit code demonstrating CVE-2026-42167, a SQL injection vulnerability in ProFTPD's mod_sql logging pipeline. The PoCs leverage a bypass in the is_escaped_text() function to execute arbitrary SQL queries, enabling backdoor user injection and remote code execution via PostgreSQL's COPY TO PROGRAM feature.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD with mod_sql (PostgreSQL backend)
No auth needed
Prerequisites: ProFTPD with mod_sql and PostgreSQL backend · SQLLog directive configured with vulnerable format variables
devstral-2 · analyzed Apr 29, 2026 Full analysis →

Nuclei Templates (1)

ProFTPD mod_sql - Preauth User Backdoor
HIGHVERIFIEDby pussycat0x
Shodan: 220 ProFTPD

References (7)

Core 7

Scores

CVSS v3 8.1
EPSS 0.0483
EPSS Percentile 90.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Lab Environment

COMMUNITY SUSPICIOUS
Community Lab
docker pull postgres:15-bookworm
+5 more repos

Details

VulnCheck KEV 2026-06-01
CWE
CWE-89
Status published
Products (2)
ProFTPD/ProFTPD 1.3.7b - 1.3.10rc1
ProFTPD/ProFTPD 1.3.7b - 1.3.9a
Published Apr 28, 2026
Tracked Since Apr 29, 2026