PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41465 ProjeQtor CVE debrief

CVE-2026-41465 documents a path traversal vulnerability in ProjeQtor project management software affecting versions 7.0 through 12.4.3. The vulnerability resides in the log file viewer component at dynamicDialog.php, where the logname parameter fails to validate directory traversal sequences before file path construction. Authenticated attackers can exploit this weakness by injecting ../ sequences into the logname parameter to read arbitrary .log files accessible to the web server process. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no attack prerequisites, low privileges required, no user interaction, and high confidentiality impact to the vulnerable component. The vulnerability was published to CVE on 2026-04-27 and last modified on 2026-05-26. The NVD entry currently carries a 'Deferred' status. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.

Vendor
ProjeQtor
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-27
Original CVE updated
2026-05-26
Advisory published
2026-04-27
Advisory updated
2026-05-26

Who should care

Organizations running ProjeQtor project management software versions 7.0 through 12.4.3, particularly those with multi-user deployments where standard users should not access system or application logs. Security teams monitoring for path traversal vulnerabilities in PHP applications. System administrators responsible for ProjeQtor deployment and maintenance.

Technical summary

The vulnerability exists in ProjeQtor's dynamicDialog.php endpoint which provides log file viewing functionality. The logname parameter accepts user-supplied filenames without sanitization of directory traversal sequences. When processing requests, the application constructs filesystem paths by directly incorporating the logname value, enabling authenticated users to escape intended log directories and access arbitrary .log files readable by the web server UID. The attack requires valid authentication credentials but no special privileges beyond standard user access. Successful exploitation results in unauthorized file read access with high confidentiality impact. The vulnerability affects a broad version range from 7.0 through 12.4.3, indicating long-standing presence in the codebase.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade ProjeQtor to a version beyond 12.4.3 when a patched release becomes available
  • Implement input validation on the logname parameter in dynamicDialog.php to reject directory traversal sequences including ../ and encoded variants
  • Apply principle of least privilege to web server process filesystem access, restricting readable paths to necessary application directories
  • Deploy Web Application Firewall rules to detect and block path traversal patterns in requests to dynamicDialog.php
  • Review and restrict access to the log file viewer functionality to administrative roles only
  • Monitor access logs for suspicious patterns involving dynamicDialog.php with logname parameters containing traversal sequences
  • Consider relocating log files outside web-accessible directories and implementing log aggregation to separate infrastructure
  • Validate that file path construction uses safe APIs that prevent directory traversal rather than string concatenation

Evidence notes

Vulnerability description sourced from NVD modified feed with CVSS 4.0 scoring. Vendor identification marked as low confidence with 'Unknown Vendor' designation and 'Damiri' referenced as domain candidate. Multiple disclosure sources identified including damiri.fr, gryfman.fr, and VulnCheck advisory. CPE criteria not populated in source data. Weakness classified as CWE-22 (Path Traversal).

Official resources

2026-04-27