CVE-2026-41462 CRITICAL

CVE-2026-41462: ProjeQtor < 12.4.4 Unauthenticated SQL Injection via Login

Vendor Projeqtor
Product ProjeQtor
Weakness CWE-89 · SQLi
Published April 27, 2026
Last update May 14, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions.

Key dates

02Disclosure timeline

April 27, 2026 CVE published
May 14, 2026 Record updated