ProjeQtor, the French open-source project management and PMO tool used by many mid-market companies and public-sector bodies, has just been hit by a CVSS 9.8 critical vulnerability. CVE-2026-41462 is an unauthenticated SQL injection in the login feature: the login variable is concatenated directly into a SQL query with no parameterization or sanitization. Any internet-exposed ProjeQtor instance can be compromised by an attacker who doesn't even need to know a valid username.
Technical Details
The authentication endpoint receives the login field submitted in the login form. Instead of using a prepared statement (prepare() + bindParam()), the code builds the SQL query through string concatenation:
// Reconstructed pseudo-code (typical vulnerable pattern)
$query = "SELECT * FROM users WHERE login = '" . $_POST['login'] . "' AND ...";
An attacker injects arbitrary SQL into the login field:
login=admin' UNION SELECT 1,2,3,4--
login=' OR 1=1; INSERT INTO users (login, role) VALUES ('hacker', 'admin')--
Depending on the privileges of the database account ProjeQtor uses:
- Limited DB user: data extraction, privileged account creation via
INSERT - Privileged DB user: OS command execution via
xp_cmdshell(SQL Server) orINTO OUTFILE+ LFI (MySQL)
Characteristics
| Field | Value |
|---|---|
| CVSS 3.1 | 9.8 (CRITICAL) |
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-89 (SQL Injection) |
| Authentication | None (pre-auth, on the login page) |
| Endpoint | /index.php (authentication, login parameter) |
Affected Products and Versions
| Product | Affected versions | Status |
|---|---|---|
| ProjeQtor | 7.0 → 12.4.3 inclusive | ❌ Vulnerable |
The vendor recommends upgrading to the latest available release. Check the official release page for the exact patched version.
Exploitation and Impact
Attack vector
Any ProjeQtor instance reachable over HTTP/HTTPS — which includes virtually all enterprise intranet deployments and a non-trivial number of public instances (demo environments, poorly protected private cloud instances).
Impact
1. Admin account creation (most likely)
The attacker injects an INSERT creating an account with administrator role. Once logged in, they have full access to every project, resource, and document stored in ProjeQtor — potentially including:
- Project plans and customer budgets
- Internal documents (specs, contracts)
- HR data (staff assigned to projects)
- Strategic roadmaps and planning
2. Mass data extraction
Via UNION SELECT, the attacker can exfiltrate the entire database: users table with password hashes, project data, emails, DB-stored attachments.
3. RCE via the database
If the DB account has the right permissions, escalation to RCE:
- MySQL:
SELECT '<?php system($_GET[c]);?>' INTO OUTFILE '/var/www/html/shell.php' - PostgreSQL:
COPY ... PROGRAMextension (recent versions only) - MSSQL:
xp_cmdshellenabled by default in some deployments
Detection and IOCs
Web server logs (Apache/Nginx)
Hunt access logs for login-page requests containing SQL injection patterns:
grep -E "login=.*['\"%].*(UNION|SELECT|INSERT|UPDATE|DELETE|DROP|--|;)" /var/log/apache2/access.log
Typical indicators:
login=' OR '1'='1login=admin' --login=' UNION SELECTlogin=%27 (URL-encoded single quote)
ProjeQtor / database logs
- Successful admin logins from unknown external IPs
- Sudden creation of administrator accounts (cross-correlate with the application audit log)
- Abnormal volume of
SELECTqueries onusersor sensitive tables
WAF rule (ModSecurity example)
SecRule ARGS:login "@detectSQLi" \
"id:'2026041462',phase:2,deny,status:403,\
msg:'ProjeQtor CVE-2026-41462 SQL injection attempt'"
Mitigation and Patch
Priority action: update
# Mandatory backup before any upgrade
mysqldump -u user -p projeqtor > projeqtor-backup-$(date +%Y%m%d).sql
# Download and install the latest version
# (follow the official ProjeQtor upgrade procedure)
Workaround if patching is delayed
- Restrict network access: limit the ProjeQtor instance to a VPN or internal IPs
- Put a WAF in front (ModSecurity, Cloudflare, AWS WAF) with SQL injection ruleset enabled
- Temporarily disable public login if usage allows (HTTPS via client certificate / mTLS only)
- Audit existing admin accounts to detect prior compromise
Long-term hardening
- Migrate ProjeQtor's DB account to one with strictly necessary permissions (no
FILE, noxp_cmdshell) - Enable detailed SQL query logging to support incident hunting
- Rotate passwords for all current admin accounts as a precaution
Why Continuous Monitoring of Business Apps Matters
PMO, ITSM, and internal collaboration tools are rarely watched as closely as internet-facing servers — yet they often hold the most sensitive data in an organization: roadmaps, budgets, contracts, HR records. A CVE like this one, on a vendor with a historically quiet security advisory channel, can slip through unnoticed if you don't keep a current application inventory.
With cveo.tech, automatically monitor your self-hosted open-source and SaaS applications and get alerts the moment a critical CVE targets one of your versions — without having to manually track every vendor's release notes.