Home / Vulnerability Intelligence / CVE-2026-41463

CVE-2026-41463 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 27, 2026

ProjeQtor - Path Traversal & Remote Code Execution

Published: April 27, 2026Updated: April 27, 2026Remote Exploitable

Overview

ProjeQtor 7.0 through 12.4.3 contains a path traversal vulnerability caused by unvalidated ZIP archive extraction in the plugin upload functionality, letting authenticated attackers with upload permissions write files outside intended directories and achieve remote code execution.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Authenticated attackers can write files outside intended directories and execute arbitrary code with web server privileges.

Mitigation

Update to the latest version beyond 12.4.3.

References

https://damiri.fr/en/cves/CVE-2026-41463
https://gryfman.fr/cves/CVE-2026-41463
https://www.projeqtor.com
https://www.vulncheck.com/advisories/projeqtor-zipslip-path-traversal-via-uploadplugin-php

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-41463
Severity: High
CVSS Score: 8.8
Type: path_traversal
Status: rejected

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H