CVE-2026-41462

ProjeQtor · ProjeQtor

ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login function that allows arbitrary command execution and account takeover.

Executive summary

An unauthenticated SQL injection vulnerability in ProjeQtor allows remote attackers to execute arbitrary code and compromise the entire application database.

Vulnerability

The application fails to sanitize the username input during the login process, allowing unauthenticated attackers to inject malicious SQL queries directly into the backend database.

Business impact

This vulnerability carries a CVSS score of 9.8, indicating a critical risk that could lead to a total loss of confidentiality, integrity, and availability. Successful exploitation enables unauthorized actors to create administrative accounts, exfiltrate sensitive project data, or gain full control over the underlying server operating system.

Remediation

Immediate Action: Upgrade to the latest version of ProjeQtor immediately to resolve the vulnerable authentication logic.

Proactive Monitoring: Inspect application logs for unusual login attempts, specifically those containing SQL syntax or non-standard characters in the username field.

Compensating Controls: Deploy a Web Application Firewall (WAF) with strict SQL injection protection rules configured to inspect the login endpoint.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Given the critical severity of this SQL injection flaw, immediate patching is required to prevent unauthorized system access. Security teams should prioritize this update across all internet-facing ProjeQtor instances to mitigate the risk of remote code execution.