CVE-2026-41463
published 2026-04-27CVE-2026-41463: ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.08%
60.9th percentile
ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| projeqtor | projeqtor | 7.0 – 12.4.3 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mcxw-xmpc-rm88: ProjeQtor versions 7
ghsa_unreviewed·2026-04-27
CVE-2026-41463 [HIGH] CWE-22 GHSA-mcxw-xmpc-rm88: ProjeQtor versions 7
ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.
VulDB
ProjeQtor up to 12.4.3 Archive Extraction path traversal
vuldb·2026-04-27·CVSS 8.7
CVE-2026-41463 [HIGH] ProjeQtor up to 12.4.3 Archive Extraction path traversal
A vulnerability has been found in ProjeQtor up to 12.4.3 and classified as critical. Affected is an unknown function of the component Archive Extraction Handler. The manipulation leads to path traversal.
This vulnerability is documented as CVE-2026-41463. The attack can be initiated remotely. There is not any exploit available.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-27
Published