CVE-2026-41463

Name of the Vulnerable Software and Affected Versions ProjeQtor versions 7.0 through 12.4.3

Description A ZipSlip path traversal issue exists in the plugin upload functionality. Authenticated attackers with upload permissions can write files outside the intended extraction directory by using ZIP archives containing directory traversal sequences. This unvalidated archive extraction allows for the placement of a PHP webshell in a web-accessible directory, leading to remote code execution with the privileges of the web server process. The issue is located in the 'uploadPlugin.php' endpoint.

Recommendations Update to version 12.4.4 or later.