← volver
CVE-2026-41464

ProjeQtor < 12.4.4 Missing Authorization via objectDetail.php

CVSS 7.1 HIGHEPSS 0.3%CWE-862
ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Productos afectados
ProjeQtor · ProjeQtor
PoCs públicas encontradas2
cve_referencedamiri.fr/en/cves/CVE-2026-41464no verificadocve_referencegryfman.fr/cves/CVE-2026-41464no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://damiri.fr/en/cves/CVE-2026-41464https://gryfman.fr/cves/CVE-2026-41464https://www.projeqtor.comhttps://www.vulncheck.com/advisories/projeqtor-missing-authorization-via-objectdetail-php