CVE-2026-44331HIGH 8.1EPSS p36.1%

CVE-2026-44331CVE-2026-44331

Description

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.46% probability of exploitation · percentile 36.1% · 2026-06-19T12:03:05Z
Published2026-05-05
Last modified2026-05-07

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/proftpd/proftpd/commit/766622456440fbca33abd7927c523673a11d1ed1
  2. https://github.com/proftpd/proftpd/issues/2057

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-42167
CVE
CVE-2026-39531
CVE
CVE-2026-44047
CVE
CVE-2026-42000
CVE
CVE-2026-42672
CVE
CVE-2026-41462
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.