← voltar
CVE-2026-41464

ProjeQtor < 12.4.4 Missing Authorization via objectDetail.php

CVSS 7.1 HIGHEPSS 0.3%CWE-862
ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Produtos afetados
ProjeQtor · ProjeQtor
PoCs públicas encontradas2
cve_referencedamiri.fr/en/cves/CVE-2026-41464não verificadocve_referencegryfman.fr/cves/CVE-2026-41464não verificado
⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://damiri.fr/en/cves/CVE-2026-41464https://gryfman.fr/cves/CVE-2026-41464https://www.projeqtor.comhttps://www.vulncheck.com/advisories/projeqtor-missing-authorization-via-objectdetail-php