Path Traversal
Introduction
During the same security research on ProjeQtOr, we identified another interesting vulnerability, this time in the plugin upload mechanism.
I already introduced what ProjeQtOr is and why it can contain sensitive business data in the first article of this series: From login to admin : CVE-2026-41462 .
This vulnerability is different from the SQL injection one. Instead of attacking the database directly, it abuses the way the application extracts uploaded plugin archives.
Introduction
This post is about a path traversal vulnerability affecting the log file viewer in ProjeQtOr.
«««< HEAD The general introduction to ProjeQtOr is available in the first article of this series: From login to admin : CVE-2026-41462 .
The general introduction to ProjeQtOr is available in the first article of this series: From login to admin : CVE-2026-41462 .
dev
This vulnerability is another concept that is not as flashy as the previous ones, but still important, that is Path Traversal. It allows an attacker to read files on the server that should not be accessible, in this case log files.