Summary
ZeroPath Research disclosed CVE-2026-42167, a SQL injection in ProFTPD’s
mod_sql logging pipeline. The vulnerable path involves SQL log-format
expansions that can include attacker-controlled FTP-session values.
Impact depends on server configuration. ZeroPath documents pre-authentication and post-authentication trigger paths, including backdoor-user insertion, credential exfiltration, and PostgreSQL-backed remote code execution when the database role has the required privileges. NVD records the issue as affecting ProFTPD before 1.3.9a, with a CVSS 3.1 score of 8.1 from MITRE.
Attribution
This is a self-reported AI-attributed entry. ZeroPath supplies the discovery claim and explains why LLM-style reasoning was useful for the data- and configuration-dependent source-to-sink path. The independent corroboration is the public CVE record, the ProFTPD fix commit, the 1.3.9a release, and the oss-sec discussion.
Why it matters
The bug is a good fit for Bugflation because it is not just a local pattern-matching mistake. The dangerous path depends on FTP log substitutions, SQL escaping heuristics, runtime callbacks, and administrator configuration. That is exactly the kind of cross-context vulnerability narrative AI security systems claim to accelerate.
References
- ZeroPath: CVE-2026-42167 allows auth bypass and RCE in ProFTPD
- NVD: CVE-2026-42167
- ProFTPD fix commit af90843
- ProFTPD release v1.3.9a
- ZeroPath PoC repository
- oss-sec discussion
Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.