CVE-2026-41465

Name of the Vulnerable Software and Affected Versions ProjeQtor versions 7.0 through 12.4.3

Description A path traversal issue exists in the log file viewer. Authenticated attackers can inject directory traversal sequences into the logname parameter at the 'dynamicDialog.php' endpoint to read arbitrary .log files accessible to the web server process on the filesystem. Path traversal is a technique that allows an attacker to access files and directories that are stored outside the web root folder.

Recommendations Update to version 12.4.4 or later. As a temporary workaround, restrict access to the 'dynamicDialog.php' endpoint or avoid using the logname parameter until the update is applied.