CVE-2026-41464

Name of the Vulnerable Software and Affected Versions ProjeQtor versions 7.0 through 12.4.3

Description Authenticated users with guest-level privileges can retrieve sensitive data belonging to other users, such as password hashes and API keys. This occurs due to missing authorization in the 'objectDetail.php' endpoint, allowing attackers to bypass access controls without ownership or role-based validation to extract administrator credentials and perform privilege escalation.

Recommendations Update to version 12.4.4. As a temporary workaround, restrict access to the 'objectDetail.php' endpoint to minimize the risk of exploitation.