CVE-2026-41465
published 2026-04-27CVE-2026-41465: ProjeQtor versions 7.0 through 12.4.3 contain a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not…
PriorityP343medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.54%
41.3th percentile
ProjeQtor versions 7.0 through 12.4.3 contain a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not validated against directory traversal sequences before constructing file paths. Authenticated attackers can inject directory traversal sequences ../ into the logname parameter to read arbitrary .log files accessible to the web server process on the filesystem.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| projeqtor | projeqtor | 7.0 – 12.4.3 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5m4x-rvj4-r2rw: ProjeQtor versions 7
ghsa_unreviewed·2026-04-27
CVE-2026-41465 [HIGH] CWE-22 GHSA-5m4x-rvj4-r2rw: ProjeQtor versions 7
ProjeQtor versions 7.0 through 12.4.3 contains a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not validated against directory traversal sequences before constructing file paths. Authenticated attackers can inject directory traversal sequences ../ into the logname parameter to read arbitrary .log files accessible to the web server process on the filesystem.
VulDB
ProjeQtor up to 12.4.3 dynamicDialog.php logname path traversal
vuldb·2026-04-27·CVSS 7.1
CVE-2026-41465 [HIGH] ProjeQtor up to 12.4.3 dynamicDialog.php logname path traversal
A vulnerability, which was classified as critical, was found in ProjeQtor up to 12.4.3. This impacts an unknown function of the file dynamicDialog.php. Executing a manipulation of the argument logname can lead to path traversal.
This vulnerability is registered as CVE-2026-41465. It is possible to launch the attack remotely. No exploit is available.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-27
Published