CVE-2026-41462
Received Received - Intake
Unauthenticated SQL Injection in ProjeQtor Login Enables Privilege Escalation

Publication date: 2026-04-27

Last updated on: 2026-04-27

Assigner: VulnCheck

Description
ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41462
EUVD
EUVD-2026-25865
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projeqtor projeqtor From 7.0 (inc) to 12.4.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41462 is a critical unauthenticated SQL injection vulnerability found in ProjeQtor versions 7.0 through 12.4.3. The vulnerability exists in the login functionality where the username input is directly concatenated into an SQL query without proper parameterization or sanitization.

This flaw allows attackers to inject arbitrary SQL code through the username field at the authentication endpoint. As a result, attackers can create privileged accounts, access sensitive data without authorization, and even execute operating system commands if the database user has elevated permissions.

Mitigation Strategies

The vulnerability exists in ProjeQtor versions 7.0 through 12.4.3 in the login functionality due to unauthenticated SQL injection via the username field.

Immediate mitigation steps include upgrading ProjeQtor to a version later than 12.4.3 where this vulnerability is fixed.

If upgrading is not immediately possible, restrict network access to the authentication endpoint to trusted users only and monitor for suspicious login attempts.

Additionally, review database user permissions to ensure the database user used by ProjeQtor does not have elevated privileges that could be exploited to execute operating system commands.

Impact Analysis

This vulnerability can have severe impacts including unauthorized creation of privileged accounts, which can lead to full system compromise.

Attackers can read sensitive data stored in the database, potentially exposing confidential information.

If the database user has elevated permissions, attackers may execute operating system commands, leading to further system control or damage.

Overall, this can result in a complete breach of confidentiality, integrity, and availability of the affected system.

Compliance Impact

The vulnerability allows attackers to create privileged accounts, access sensitive data without authorization, and potentially execute operating system commands if the database user has elevated permissions.

Such unauthorized access and data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal and health information.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to compromised confidentiality, integrity, and availability of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41462. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart