Skip to content
CVSS 8.8 · HIGH

CVE-2026-41463

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.

Ver en NVD

Análisis

ProjeQtor is an open-source project management tool affected by an authenticated remote code execution vulnerability via ZipSlip. While the impact is severe for users of the software, ProjeQtor is a niche tool that does not meet the threshold of widespread community adoption required for the general feed.

Severidad

Puntaje: 8.8(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-22

EPSS

Probabilidad de explotación (próx. 30 días): 0.0047 (0.5%)
Percentil: 64.6%
EPSS: 2026-05-06

Descripción técnica

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.

Publicada: 27/4/2026, 16:16:45
Última modificación: 27/4/2026, 18:36:19

Referencias

InicioEventosBlogRecursosEquipo