Vulnerability Description
ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://damiri.fr/en/cves/CVE-2026-41463
- https://gryfman.fr/cves/CVE-2026-41463
- https://www.projeqtor.com
- https://www.vulncheck.com/advisories/projeqtor-zipslip-path-traversal-via-upload
FAQ
What is CVE-2026-41463?
CVE-2026-41463 is a vulnerability with a CVSS score of 8.8 (HIGH). ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outsi...
How severe is CVE-2026-41463?
CVE-2026-41463 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41463?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.