CVE-2026-41462

Name of the Vulnerable Software and Affected Versions ProjeQtor versions 7.0 through 12.4.3

Description An unauthenticated SQL injection exists in the login functionality. The login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions. SQL injection is a technique where malicious SQL statements are inserted into entry fields for execution, potentially allowing unauthorized access to the database.

Recommendations Update to version 12.4.4 or later. As a temporary workaround, restrict access to the authentication endpoint to minimize the risk of exploitation.