https://gryfman.fr/tags/rce/Recent content in RCE on gryfmanHugoen-ussussetnoe2004@gmail.com (gryfman)sussetnoe2004@gmail.com (gryfman)Mon, 27 Apr 2026 00:00:05 +0200https://gryfman.fr/cves/cve-2026-41463/Mon, 27 Apr 2026 00:00:05 +0200sussetnoe2004@gmail.com (gryfman)https://gryfman.fr/cves/cve-2026-41463/<h2 id="introduction">Introduction</h2> <p>During the same security research on ProjeQtOr, we identified another interesting vulnerability, this time in the plugin upload mechanism.</p> <p>I already introduced what ProjeQtOr is and why it can contain sensitive business data in the first article of this series: <a href="https://gryfman.fr/cves/cve-2026-41462">From login to admin : CVE-2026-41462</a> .</p> <p>This vulnerability is different from the SQL injection one. Instead of attacking the database directly, it abuses the way the application extracts uploaded plugin archives.</p>