ProjeQtOr

From login to admin : CVE-2026-41462 27, Apr 2026

Introduction

During a security assessment, we identified an unauthenticated SQL injection vulnerability in ProjeQtOr , an open source project management platform. The injection point was located in the authentication logic, allow an attacker to inject SQL commands directly into the user field, that was later used to look up user accounts. This flaw could be exploited to create a new administrative user or full access to the database without needing valid credentials.

ZipSlip RCE plugin: CVE-2026-41463 27, Apr 2026

Reading time: 3 minutes

Introduction

During the same security research on ProjeQtOr, we identified another interesting vulnerability, this time in the plugin upload mechanism.

I already introduced what ProjeQtOr is and why it can contain sensitive business data in the first article of this series: From login to admin : CVE-2026-41462 .

This vulnerability is different from the SQL injection one. Instead of attacking the database directly, it abuses the way the application extracts uploaded plugin archives.

When guest takes over : CVE-2026-41464 27, Apr 2026

Reading time: 3 minutes

Introduction

This article covers another vulnerability we found during our research on ProjeQtOr: a missing authorization issue.

If you want more context about ProjeQtOr itself, I already introduced the software in the first post of this series: From login to admin : CVE-2026-41462 .

Here the issue is differents from the previous ones, and involves an access control flaw that allowed low-privileged authenticated users to access sensitive information about other users, including password hashes and API keys.

Reading outside the logs : CVE-2026-41465 27, Apr 2026

Reading time: 3 minutes

Introduction

This post is about a path traversal vulnerability affecting the log file viewer in ProjeQtOr.

The general introduction to ProjeQtOr is available in the first article of this series: From login to admin : CVE-2026-41462 .

dev

This vulnerability is another concept that is not as flashy as the previous ones, but still important, that is Path Traversal. It allows an attacker to read files on the server that should not be accessible, in this case log files.

Bypassing weak HTML filtering for XSS : CVE-2026-41466 27, Apr 2026

Reading time: 3 minutes

Introduction

This article focuses on a stored XSS vulnerability we identified in ProjeQtOr.

For more context about the software itself, I already covered that in the first article of this series: From login to admin : CVE-2026-41462 .

dev

This time, the vulnerable behavior was linked to HTML filtering. The application tried to detect dangerous HTML patterns, but the protection was not strong enough.

When uploaded files become scripts : CVE-2026-41467 27, Apr 2026

Reading time: 3 minutes

Introduction

This post covers another stored XSS vulnerability in ProjeQtOr, this time through file upload.

I already introduced ProjeQtOr and why this kind of application can contain sensitive business data in the first article of the series: From login to admin : CVE-2026-41462 .

Introduction

Introduction

Introduction

Introduction

«««< HEAD The general introduction to ProjeQtOr is available in the first article of this series: From login to admin : CVE-2026-41462 .

Introduction

«««< HEAD For more context about the software itself, I already covered that in the first article of this series: From login to admin : CVE-2026-41462 .

Introduction

«««< HEAD I already introduced ProjeQtOr and why this kind of application can contain sensitive business data in the first article of the series: From login to admin : CVE-2026-41462 .