Pre-auth SQL injection in ProjeQtor login puts instances at critical risk
TL;DR - ProjeQtor 7.0 through 12.4.3 concatenates the login variable directly into SQL with no parameterisation or sanitisation. An unauthenticated attacker sends a crafted username and injects arbitrary SQL at the auth boundary. Confirmed impacts include creating privileged accounts, reading sensitive data, and - if the DB user is over-privileged - OS command execution. Upgrade to 12.4.4 or later.
What happened
ProjeQtor is a web-based project management application. CVE-2026-41462 is pre-auth SQL injection in its login flow.
The failure is straightforward: the login variable is concatenated into a SQL query rather than parameterised. The authentication endpoint becomes an injection surface. No account needed. Craft a username, inject SQL, proceed.
The concrete impacts named in the CVE are worth spelling out:
- Attackers can create privileged accounts.
- Attackers can read sensitive data from the database.
- If the application's database user has elevated privileges, OS command execution is also possible.
| Item | Detail |
|---|---|
| Affected component | ProjeQtor login functionality |
| Affected versions | 7.0 through 12.4.3 |
| First unaffected version | 12.4.4 |
| CVSS 3.1 | 9.8 Critical |
| CVSS 4.0 | 9.3 Critical |
SQLi in the login path sits on the auth boundary - before any session or identity check. On an internet-reachable instance, this is an application takeover path, not a bug to schedule for the next maintenance window.
Who is impacted
- Any deployment running
ProjeQtorversions7.0through12.4.3. - Internet-exposed instances or broadly reachable internal deployments where the login endpoint is accessible to untrusted users.
- Highest risk where the application's database account carries elevated privileges - that's the path to OS command execution.
What to do now
- Upgrade to
12.4.4or later. That is the first unaffected version per the CVE record. - Inventory every
ProjeQtordeployment - VMs, containers, on-prem - and confirm whether any instance falls in the7.0to12.4.3range. - Reduce blast radius while you patch:
- Restrict network access to the ProjeQtor login endpoint via VPN or allowlists where operationally feasible.
- Audit the ProjeQtor database user's privileges and strip anything unnecessary - especially any capability that could reach OS-level execution.
- If you suspect the instance was already exposed:
- Review authentication and application logs for anomalous login attempts with unusual username payloads.
- Audit for unexpected new admin accounts and any privilege changes.
- Rotate all credentials and API keys stored in - or accessible from - the ProjeQtor environment.
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.