RCE

Introduction

During the same security research on ProjeQtOr, we identified another interesting vulnerability, this time in the plugin upload mechanism.

I already introduced what ProjeQtOr is and why it can contain sensitive business data in the first article of this series: From login to admin : CVE-2026-41462 .

This vulnerability is different from the SQL injection one. Instead of attacking the database directly, it abuses the way the application extracts uploaded plugin archives.