Cves

A critical vulnerability has been identified in ProjeQtOr, a widely used project management software. The vulnerability, CVE-2026-41462, is a SQL injection flaw that allows attackers to execute arbitrary SQL commands on the database, without authentication. Allowing full access to the database.

A high severity vulnerability has been identified in ProjeQtOr. CVE-2026-41463 is a ZipSlip path traversal vulnerability in the plugin upload feature, allowing an authenticated attacker with upload permissions to write files outside the intended extraction directory and potentially achieve remote code execution.

A high severity authorization issue has been identified in ProjeQtOr. CVE-2026-41464 allows authenticated low-privileged users to access sensitive information belonging to other users, including password hashes and API keys, due to missing authorization checks.

A path traversal vulnerability has been identified in ProjeQtOr. CVE-2026-41465 affects the log file viewer and allows authenticated attackers to read arbitrary .log files accessible to the web server process by abusing insufficient validation of the logname parameter.

A stored cross-site scripting vulnerability has been identified in ProjeQtOr. CVE-2026-41466 is caused by insufficient HTML sanitization, allowing attacker-controlled content to be stored and later executed in another user’s browser.

A stored cross-site scripting vulnerability has been identified in ProjeQtOr. CVE-2026-41467 affects the file upload functionality, where HTML files could be uploaded and later executed in the browser of users accessing the uploaded file URL.