ProjeQtor < 12.4.4 Unauthenticated SQL Injection via Login

Advisories

severity: critical
date: 4/27/2026
Affecting: ProjeQtor v7.0 < 12.4.4
CVE: CVE-2026-41462
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Damiri Researcher Disclosure
Gryfman Researcher Disclosure
Product Webpage
Credit: Yassine Damiri, Noé Susset
Description: ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo