CVE-2026-4044

Name of the Vulnerable Software and Affected Versions projectsend versions prior to r1945

Description A flaw exists in projectsend that allows for path traversal. This issue affects the realpath function within the /import-orphans.php file of the Delete Handler component. Manipulating the files[] argument can lead to unauthorized access. Remote exploitation is possible, and an exploit is publicly available. The vendor was notified but did not respond.

Recommendations Update projectsend to a version later than r1945. As a temporary workaround, restrict access to the /import-orphans.php file.