High severity8.8NVD Advisory· Published Apr 27, 2026· Updated Apr 27, 2026

CVE-2026-41463

Description

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

damiri.fr/en/cves/CVE-2026-41463nvd
gryfman.fr/cves/CVE-2026-41463nvd
www.projeqtor.comnvd
www.vulncheck.com/advisories/projeqtor-zipslip-path-traversal-via-uploadplugin-phpnvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000