ProjeQtor ZipSlip Flaw: Authenticated RCE via Plugin Upload
The National Vulnerability Database has identified CVE-2026-41463, a critical ZipSlip path traversal vulnerability impacting ProjeQtor versions 7.0 through 12.4.3. This flaw resides within the plugin upload functionality. Attackers who gain authenticated access and possess upload privileges can exploit this by submitting specially crafted ZIP archives. These archives contain directory traversal sequences, enabling the attacker to write files outside the intended extraction directory. The National Vulnerability Database notes that successful exploitation can lead to remote code execution.
What This Means For You
- If your organization uses ProjeQtor, immediately investigate versions 7.0 through 12.4.3. Check for unauthorized file uploads or unexpected PHP files in web-accessible directories. Prioritize patching or upgrading to a secure version to mitigate the risk of authenticated attackers achieving remote code execution.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41463 ProjeQtor Plugin Upload RCE via ZipSlip
title: CVE-2026-41463 ProjeQtor Plugin Upload RCE via ZipSlip
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
Detects the ProjeQtor plugin upload functionality being used with a POST request that results in a successful upload (HTTP 200) and the URI containing a .php extension, indicative of a webshell upload exploiting the ZipSlip vulnerability (CVE-2026-41463).
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41463/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/plugin/upload'
cs-method:
- 'POST'
sc-status:
- '200'
uri|contains:
- '.php'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41463 | Vulnerability | CVE-2026-41463 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 27, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7142 — A vulnerability was determined in Wooey up to 0.13.2. The
CVE-2026-7142 — A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component...
CVE-2026-7141 — Vllm Vulnerability
CVE-2026-7141 — A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v1/kv_cache_interface.py of the component...
CVE-2026-7140: Critical OS Command Injection in Totolink A8000RU Routers
CVE-2026-7140 — A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler....