If ProFTPD is configured to use mod_sql for logging, SQL injection pre or post auth is possible via CVE-2026-42167.
The impact of this injection depends on server configuration. It ranges from full pre auth RCE in rare cases, to auth bypass, to privilege escalation, to bypassing quotas and subverting other functionality implemented by modules that depend on mod_sql for storage.
Of the 160k public-facing PureFTPD instances, approximately 1% were vulnerable to pre-auth injection two days ago, and presumably a larger number were vulnerable post auth, given the larger post auth attack surface.
Patch ProFTPD ASAP or disable all logging via mod_sql for the time being.
If ProFTPD is configured to use mod_sql for logging, SQL injection pre or post auth is possible via CVE-2026-42167. The impact of this injection depends on server configuration. It ranges from full pre auth RCE in rare cases, to auth bypass, to privilege escalation, to bypassing quotas and subverting other functionality implemented by modules that depend on mod_sql for storage.
Of the 160k public-facing PureFTPD instances, approximately 1% were vulnerable to pre-auth injection two days ago, and presumably a larger number were vulnerable post auth, given the larger post auth attack surface.
Patch ProFTPD ASAP or disable all logging via mod_sql for the time being.