Critical severity9.8NVD Advisory· Published Apr 27, 2026· Updated Apr 27, 2026

CVE-2026-41462

Description

ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

damiri.fr/en/cves/CVE-2026-41462nvd
gryfman.fr/cves/CVE-2026-41462nvd
www.projeqtor.comnvd
www.vulncheck.com/advisories/projeqtor-unauthenticated-sql-injection-via-loginnvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000