Description
ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.
Published: 2026-04-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path‑traversal flaw in the uploadPlugin.php handler. An attacker who can authenticate and has upload permissions can craft a specially‑structured ZIP archive that extracts files outside the intended directory. This allows writing a PHP webshell into a publicly accessible location and executing code with the privileges of the web server process, compromising confidentiality, integrity, and availability of the system.

Affected Systems

The vulnerability affects ProjeQtor 7.0 up to 12.4.3 across all supported platforms. The issue is limited to installations that enable the uploadPlugin.php functionality and allow authenticated users to upload files.

Risk and Exploitability

With a CVSS score of 8.7 the flaw is considered high severity. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no publicly documented exploit at this time. The likely attack vector is an authenticated user with upload rights, who can evade server checks by uploading a malicious ZIP file that extracts files out of bounds. If successful, the attacker gains remote code execution as the web server user.

Generated by OpenCVE AI on April 28, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ProjeQtor installation to version 12.4.4 or later where the path‑traversal check has been fixed
  • If an upgrade is not immediately possible, disable the uploadPlugin.php feature or remove upload permissions from all but trusted users
  • Configure the web server to prevent execution of uploaded files in any upload directories and to enforce strict file‑type validation during extraction

Generated by OpenCVE AI on April 28, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Projeqtor
Projeqtor projeqtor
Vendors & Products Projeqtor
Projeqtor projeqtor

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.
Title ProjeQtor < 12.4.4 ZipSlip Path Traversal via uploadPlugin.php
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Projeqtor Projeqtor
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T02:09:47.957Z

Reserved: 2026-04-20T16:07:47.310Z

Link: CVE-2026-41463

cve-icon Vulnrichment

Updated: 2026-04-27T17:56:32.259Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T16:16:45.493

Modified: 2026-04-27T18:36:19.637

Link: CVE-2026-41463

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:30:21Z

Weaknesses