Fluid Attacks Database

Description

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	proftpd-dfsg	=1.3.7a+dfsg-12 \|\| =1.3.7a+dfsg-12+deb11u1 \|\| =1.3.7a+dfsg-12+deb11u2 \|\| =1.3.7a+dfsg-12+deb11u3 \|\| =1.3.7a+dfsg-12+deb11u5 \|\| =1.3.7b+dfsg-1 \|\| =1.3.7b+dfsg-2 \|\| =1.3.7c+dfsg-1 \|\| =1.3.7d+dfsg-1 \|\| =1.3.7d+dfsg-2 \|\| =1.3.7d+dfsg-3 \|\| =1.3.8+dfsg-1 \|\| =1.3.8+dfsg-2 \|\| =1.3.8+dfsg-3 \|\| =1.3.8+dfsg-4 \|\| =1.3.8+dfsg-5 \|\| =1.3.8+dfsg-6 \|\| =1.3.8+dfsg-7 \|\| =1.3.8+dfsg-8 \|\| =1.3.8.a+dfsg-1 \|\| =1.3.8.b+dfsg-1 \|\| =1.3.8.b+dfsg-2 \|\| =1.3.8.b+dfsg-3 \|\| =1.3.8.b+dfsg-4 \|\| =1.3.8.c+dfsg-1 \|\| =1.3.8.c+dfsg-2 \|\| =1.3.8.c+dfsg-3 \|\| =1.3.8.c+dfsg-4 \|\| =1.3.9a~dfsg-1 \|\| =1.3.9~dfsg-1 \|\| =1.3.9~dfsg-2 \|\| =1.3.9~dfsg-3 \|\| =1.3.9~dfsg-4 \|\| =1.3.9~dfsg-5	-
debian 12	proftpd-dfsg	=1.3.8+dfsg-4 \|\| =1.3.8+dfsg-4+deb12u1 \|\| =1.3.8+dfsg-4+deb12u2 \|\| =1.3.8+dfsg-4+deb12u3 \|\| =1.3.8+dfsg-4+deb12u4 \|\| =1.3.8+dfsg-4+deb12u5 \|\| =1.3.8+dfsg-5 \|\| =1.3.8+dfsg-6 \|\| =1.3.8+dfsg-7 \|\| =1.3.8+dfsg-8 \|\| =1.3.8.a+dfsg-1 \|\| =1.3.8.b+dfsg-1 \|\| =1.3.8.b+dfsg-2 \|\| =1.3.8.b+dfsg-3 \|\| =1.3.8.b+dfsg-4 \|\| =1.3.8.c+dfsg-1 \|\| =1.3.8.c+dfsg-2 \|\| =1.3.8.c+dfsg-3 \|\| =1.3.8.c+dfsg-4 \|\| =1.3.9a~dfsg-1 \|\| =1.3.9~dfsg-1 \|\| =1.3.9~dfsg-2 \|\| =1.3.9~dfsg-3 \|\| =1.3.9~dfsg-4 \|\| =1.3.9~dfsg-5	-
debian 13	proftpd-dfsg	=1.3.8.c+dfsg-4 \|\| =1.3.8.c+dfsg-4+deb13u1 \|\| =1.3.8.c+dfsg-4+deb13u2 \|\| =1.3.9a~dfsg-1 \|\| =1.3.9~dfsg-1 \|\| =1.3.9~dfsg-2 \|\| =1.3.9~dfsg-3 \|\| =1.3.9~dfsg-4 \|\| =1.3.9~dfsg-5	-
debian 14	proftpd-dfsg	=1.3.8.c+dfsg-4 \|\| =1.3.9~dfsg-1 \|\| =1.3.9~dfsg-2 \|\| =1.3.9~dfsg-3 \|\| =1.3.9~dfsg-4 \|\| =1.3.9~dfsg-5 \|\| >=0 <1.3.9a~dfsg-1	1.3.9a~dfsg-1

Aliases

1. CVE-2026-443312. NVD-2026-443313. OSV-DEBIAN-2026-443314. OSV-2026-443315. SECURITY-TRACKER-CVE-2026-44331

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.