ZipSlip RCE plugin: CVE-2026-41463

sussetnoe2004@gmail.com (gryfman) — Mon, 27 Apr 2026 00:00:05 +0200

Introduction

During the same security research on ProjeQtOr, we identified another interesting vulnerability, this time in the plugin upload mechanism.

I already introduced what ProjeQtOr is and why it can contain sensitive business data in the first article of this series: From login to admin : CVE-2026-41462 .

This vulnerability is different from the SQL injection one. Instead of attacking the database directly, it abuses the way the application extracts uploaded plugin archives.

Reading outside the logs : CVE-2026-41465

sussetnoe2004@gmail.com (gryfman) — Mon, 27 Apr 2026 00:00:03 +0200

Introduction

This post is about a path traversal vulnerability affecting the log file viewer in ProjeQtOr.

The general introduction to ProjeQtOr is available in the first article of this series: From login to admin : CVE-2026-41462 .

dev

This vulnerability is another concept that is not as flashy as the previous ones, but still important, that is Path Traversal. It allows an attacker to read files on the server that should not be accessible, in this case log files.

Path Traversal on gryfman

ZipSlip RCE plugin: CVE-2026-41463

Introduction

Reading outside the logs : CVE-2026-41465

Introduction

«««< HEAD The general introduction to ProjeQtOr is available in the first article of this series: From login to admin : CVE-2026-41462 .