CVE-2026-41462
Unauthenticated SQL Injection in ProjeQtor Login Enables Privilege Escalation
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projeqtor | projeqtor | From 7.0 (inc) to 12.4.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to create privileged accounts, access sensitive data without authorization, and potentially execute operating system commands if the database user has elevated permissions.
Such unauthorized access and data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal and health information.
Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to compromised confidentiality, integrity, and availability of protected data.
Can you explain this vulnerability to me?
CVE-2026-41462 is a critical unauthenticated SQL injection vulnerability found in ProjeQtor versions 7.0 through 12.4.3. The vulnerability exists in the login functionality where the username input is directly concatenated into an SQL query without proper parameterization or sanitization.
This flaw allows attackers to inject arbitrary SQL code through the username field at the authentication endpoint. As a result, attackers can create privileged accounts, access sensitive data without authorization, and even execute operating system commands if the database user has elevated permissions.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized creation of privileged accounts, which can lead to full system compromise.
Attackers can read sensitive data stored in the database, potentially exposing confidential information.
If the database user has elevated permissions, attackers may execute operating system commands, leading to further system control or damage.
Overall, this can result in a complete breach of confidentiality, integrity, and availability of the affected system.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability exists in ProjeQtor versions 7.0 through 12.4.3 in the login functionality due to unauthenticated SQL injection via the username field.
Immediate mitigation steps include upgrading ProjeQtor to a version later than 12.4.3 where this vulnerability is fixed.
If upgrading is not immediately possible, restrict network access to the authentication endpoint to trusted users only and monitor for suspicious login attempts.
Additionally, review database user permissions to ensure the database user used by ProjeQtor does not have elevated privileges that could be exploited to execute operating system commands.