CVE-2026-41462
published 2026-04-27CVE-2026-41462: ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.56%
42.3th percentile
ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| projeqtor | projeqtor | 7.0 – 12.4.3 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ProjeQtor up to 12.4.3 Authentication Endpoint Username sql injection
vuldb·2026-04-27·CVSS 9.3
CVE-2026-41462 [CRITICAL] ProjeQtor up to 12.4.3 Authentication Endpoint Username sql injection
A vulnerability was found in ProjeQtor up to 12.4.3. It has been rated as critical. This vulnerability affects unknown code of the component Authentication Endpoint. Performing a manipulation of the argument Username results in sql injection.
This vulnerability is known as CVE-2026-41462. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is advised.
GHSA
GHSA-rrf3-x3xf-m69q: ProjeQtor versions 7
ghsa_unreviewed·2026-04-27
CVE-2026-41462 [CRITICAL] CWE-89 GHSA-rrf3-x3xf-m69q: ProjeQtor versions 7
ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-27
Published