Reading outside the logs : CVE-2026-41465

A path traversal vulnerability has been identified in ProjeQtOr. CVE-2026-41465 affects the log file viewer and allows authenticated attackers to read arbitrary .log files accessible to the web server process by abusing insufficient validation of the logname parameter.

Tags: #Web #ProjeQtOr #Path Traversal
Categories: CVE
Published: 27, Apr 2026
Reading time: 3 minutes
Co-Author: Yasha
CVSS: 7.1
Target: ProjeQtOr >= v7.0 and <= v12.4.3

Introduction

This post is about a path traversal vulnerability affecting the log file viewer in ProjeQtOr.

The general introduction to ProjeQtOr is available in the first article of this series: From login to admin : CVE-2026-41462 .

dev

This vulnerability is another concept that is not as flashy as the previous ones, but still important, that is Path Traversal. It allows an attacker to read files on the server that should not be accessible, in this case log files.

Vulnerability summary

The vulnerability was located in the log file viewing functionality, through the dynamicDialog.php endpoint.

The affected parameter was used to select which log file should be displayed. However, the application did not properly validate the path before building the file location.

As a result, an authenticated attacker could manipulate the requested log file path and make the application read files outside of the intended log directory.

The limitation observed was that the targeted file had to match the expected log file behavior, mainly files ending with .log. Even with that limitation, the vulnerability remains relevant because log files can contain a lot of useful information for an attacker.

Attack surface

The vulnerability required authentication with a low-privileged account.

The vulnerable feature was reachable remotely and did not require interaction from another user. The attacker only needed access to the application and the ability to reach the log viewer endpoint.

The main impact is confidentiality. Depending on the server and application configuration, exposed logs may contain a lot of informations.

This can allow an attacker to gather information about the application or even the server, its users, and potentially find other vulnerabilities or sensitive data that can be used for further attacks.

Proof of concept

No exploit request is provided here.

Recommended fix

The log viewer should never accept arbitrary paths from the user. The application should only allow access to a predefined list of directories of logs and should not accept any path traversal sequence. The best design is to let users choose a logical log name, not a filesystem path.

Conclusion

Logs are often treated as harmless debugging files, but they can reveal a lot about an application. And when you can access all the logs of a server, you can find a lot of useful information for an attack, such as configurations, versions and even sometimes credentials.

Even when limited to .log files, path traversal can be exploitable.

Thank you for reading this article, hope you liked it !

Disclaimer

This post is intended for educational and defensive security purposes only. Only test applications you own or are explicitly authorized to assess.