Nixpkgs security tracker

Accepted

Permalink CVE-2026-44331

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 52 seconds ago by @LeSuisse Activity log

Created suggestion 3 hours ago
@LeSuisse accepted 52 seconds ago

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability …

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

References

Affected products

ProFTPD

=<1.3.9a

Matching in nixpkgs

pkgs.proftpd

Highly configurable GPL-licensed FTP server software

nixos-unstable 1.3.9a
- nixpkgs-unstable 1.3.9a
- nixos-unstable-small 1.3.9a
nixos-25.11 1.3.9a
- nixos-25.11-small 1.3.9a
- nixpkgs-25.11-darwin 1.3.9a

Package maintainers

@osnyx Oliver Schmidt <os@flyingcircus.io>
@leona-ya Leona Maroni <nix@leona.is>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.proftpd

Package maintainers