NIXPKGS-2026-1285

GitHub issue published on

Permalink CVE-2026-42167

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 11 hours ago by @LeSuisse Activity log

Created suggestion 17 hours ago
@LeSuisse accepted 11 hours ago
@LeSuisse published on GitHub 11 hours ago

mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute …

mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).

References

Affected products

ProFTPD

<1.3.10rc1

Matching in nixpkgs

pkgs.proftpd

Highly configurable GPL-licensed FTP server software

nixos-unstable 1.3.9
- nixpkgs-unstable 1.3.9
- nixos-unstable-small 1.3.9
nixos-25.11 1.3.9
- nixos-25.11-small 1.3.9
- nixpkgs-25.11-darwin 1.3.9

Package maintainers

@osnyx Oliver Schmidt <os@flyingcircus.io>
@leona-ya Leona Maroni <nix@leona.is>

Backported in 1.3.9a: https://github.com/proftpd/proftpd/blob/v1.3.9a/NEWS#L53-L54

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1285

References

Affected products

Matching in nixpkgs

pkgs.proftpd

Package maintainers