High severity8.1NVD Advisory· Published May 5, 2026· Updated May 7, 2026

CVE-2026-44331

Description

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

Affected products

Proftpd/Proftpdreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/proftpd/proftpd/commit/766622456440fbca33abd7927c523673a11d1ed1nvd
github.com/proftpd/proftpd/issues/2057nvd

News mentions

⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
The Hacker News · May 4, 2026

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000