Description
ProjeQtor versions 7.0 through 12.4.3 contains a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not validated against directory traversal sequences before constructing file paths. Authenticated attackers can inject directory traversal sequences ../ into the logname parameter to read arbitrary .log files accessible to the web server process on the filesystem.
Published: 2026-04-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of log files via path traversal
Action: Patch
AI Analysis

Impact

A directory traversal flaw in ProjeQtor’s log file viewer (dynamicDialog.php) allows attackers to supply a logname parameter containing ../ sequences. The application fails to validate this input before assembling the file path, enabling an authenticated user to read arbitrary .log files that are accessible to the web server process. The primary impact is the unauthorized disclosure of potentially sensitive information stored in those log files, such as credentials, system configuration, or debug output.

Affected Systems

All ProjeQtor installations from version 7.0 up to 12.4.3, inclusive, are affected because the path traversal vulnerability resides in the dynamicDialog.php component of the ProjeQtor:ProjeQtor product. No later versions (12.4.4 and above) contain the fix.

Risk and Exploitability

The vulnerability scores 7.1 on the CVSS scale, indicating a moderate to high severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Exploitation requires an attacker to have valid authentication to the ProjeQtor application, after which the attacker can craft requests to dynamicDialog.php with directory traversal payloads to read arbitrary log files. The attack vector is via the web interface, leveraging the logname request parameter. The exploitation is straightforward in environments where log files are readable by the web server process, and no additional conditions are stated in the description.

Generated by OpenCVE AI on April 28, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ProjeQtor to version 12.4.4 or later so the path traversal flaw is patched.
  • Restrict file system permissions so that only the web server user can read log files, preventing disclosure if traversal is still possible.
  • Implement server‑side validation that rejects any directory traversal sequences in the logname parameter, ensuring that only legitimate log file names are processed.

Generated by OpenCVE AI on April 28, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Projeqtor
Projeqtor projeqtor
Vendors & Products Projeqtor
Projeqtor projeqtor

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description ProjeQtor versions 7.0 through 12.4.3 contains a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not validated against directory traversal sequences before constructing file paths. Authenticated attackers can inject directory traversal sequences ../ into the logname parameter to read arbitrary .log files accessible to the web server process on the filesystem.
Title ProjeQtor < 12.4.4 Path Traversal via dynamicDialog.php
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Projeqtor Projeqtor
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T02:09:49.476Z

Reserved: 2026-04-20T16:07:47.311Z

Link: CVE-2026-41465

cve-icon Vulnrichment

Updated: 2026-04-27T16:25:49.873Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T16:16:45.793

Modified: 2026-04-27T18:35:53.583

Link: CVE-2026-41465

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:30:21Z

Weaknesses