Skip to content
CVSS 8.8 · HIGH

CVE-2026-41463

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.

View on NVD

Analysis

ProjeQtor is an open-source project management tool affected by an authenticated remote code execution vulnerability via ZipSlip. While the impact is severe for users of the software, ProjeQtor is a niche tool that does not meet the threshold of widespread community adoption required for the general feed.

Severity

Score: 8.8(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-22

EPSS

Probability of exploitation (next 30 days): 0.0047 (0.5%)
Percentile: 64.6%
EPSS: 2026-05-06

Technical description

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.

Published: 4/27/2026, 4:16:45 PM
Last modified: 4/27/2026, 6:36:19 PM

References

HomeEventsBlogResourcesTeam