Cyber Posture

CVE-2026-41462

CriticalPublic PoC

Published: 27 April 2026

Published
27 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field…

more

at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents SQL injection by requiring validation and sanitization of the unauthenticated username input before concatenation into login SQL queries.

SI-2 Flaw Remediation good match
prevent

Remediates the specific SQL injection flaw in ProjeQtor's login functionality through timely patching or code fixes like query parameterization.

AC-6 Least Privilege partial match
prevent

Limits damage from successful SQL injection by enforcing least privilege on the database user account, restricting creation of privileged accounts and OS command execution.

Security SummaryAI

CVE-2026-41462 is an unauthenticated SQL injection vulnerability (CWE-89) affecting ProjeQtor project management software in versions 7.0 through 12.4.3. The flaw resides in the login functionality, where the "login" variable from the username field is directly concatenated into a SQL query without parameterization or sanitization at the authentication endpoint. Published on 2026-04-27, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By injecting arbitrary SQL expressions via the username field during login attempts, adversaries can create privileged database accounts, extract sensitive data such as user credentials or application data, and potentially execute operating system commands if the underlying database user possesses elevated permissions.

Advisories and references, including those from VulnCheck (https://www.vulncheck.com/advisories/projeqtor-unauthenticated-sql-injection-via-login), Damiri (https://damiri.fr/en/cves/CVE-2026-41462), Gryfman (https://gryfman.fr/cves/CVE-2026-41462), and the vendor site (https://www.projeqtor.com), provide additional details on the issue; security practitioners should consult these for patch availability and mitigation guidance.

Details

CWE(s)
CWE-89

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The unauthenticated SQL injection in the login endpoint of public-facing ProjeQtor software directly enables remote exploitation of public-facing applications for initial access, credential/data extraction, and potential OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References