ProjeQtor versions between 7.0 and 12.4.3 expose a login endpoint where the username field is concatenated directly into a SQL query without any form of parameterization or sanitization. Attackers can supply a crafted username that passes through the authentication logic and inject arbitrary SQL expressions, enabling the creation of privileged user accounts, extraction of sensitive data, and, if the database account has elevated privileges, the execution of operating system commands. This flaw allows an unauthenticated user to compromise confidentiality, integrity, and availability of the system. The vulnerability is a classic SQL injection (CWE‑89).

All installations of ProjeQtor from version 7.0 up to and including 12.4.3 are affected. The affected component is the authentication module that processes login requests submitted via web interfaces; the application runs under the database user account specified in the configuration. The scope extends to any system where ProjeQtor is deployed with a database user that has privileges sufficient to execute system commands.

The CVSS score of 9.3 classifies the issue as critical. EPSS data is not available, so a precise exploitation probability cannot be estimated, but the absence of KEV listing does not diminish the risk posed by the vulnerability. The attack can be carried out remotely by sending an unauthenticated HTTP request to the login service; the lack of input validation means an attacker does not need prior access. Exploitation would require the database user to have sufficient privileges to a degree that allows schema manipulation and, if present, OS command execution, which is often the case in default ProjeQtor deployments.