CVE-2026-41466
Received Received - Intake
Stored XSS in ProjeQtor Security.php Allows Persistent Script Injection

Publication date: 2026-04-27

Last updated on: 2026-04-27

Assigner: VulnCheck

Description
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as img tags with event handlers, which are stored and executed in the browsers of users viewing the affected content.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41466
EUVD
EUVD-2026-25869
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projeqtor projeqtor From 7.0 (inc) to 12.4.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability is a stored cross-site scripting (XSS) issue in the checkValidHtmlText() function within Security.php of ProjeQtor versions 7.0 through 12.4.3. Detection typically involves inspecting user input fields and stored content for malicious payloads that use alternative HTML syntax such as img tags with event handlers.

Since the vulnerability involves stored XSS, detection can be done by reviewing the database or application content for suspicious HTML or JavaScript code that bypasses the filter.

No specific detection commands are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include updating ProjeQtor to a version later than 12.4.3 where this vulnerability is fixed.

If an update is not immediately possible, review and enhance input sanitization and output encoding in the checkValidHtmlText() function or apply web application firewall (WAF) rules to block malicious payloads using alternative HTML syntax such as img tags with event handlers.

Additionally, restrict user privileges to limit the ability to inject malicious content and educate users about the risks of interacting with untrusted content.

Executive Summary

CVE-2026-41466 is a stored cross-site scripting (XSS) vulnerability in ProjeQtor versions 7.0 through 12.4.3. It exists in the checkValidHtmlText() function within the Security.php file, which fails to properly sanitize user input. The function only detects specific patterns but returns unsanitized strings without proper output encoding.

Attackers can exploit this by injecting malicious payloads that bypass the filter using alternative HTML syntax, such as img tags with event handlers. These payloads are stored on the server and executed in the browsers of users who view the affected content.

Impact Analysis

This vulnerability allows attackers to inject malicious scripts that are stored and later executed in the browsers of users viewing the affected content. This can lead to unauthorized actions performed on behalf of users, theft of sensitive information such as cookies or session tokens, and potential compromise of user accounts.

Because the attack vector is network-based with low complexity and requires user interaction, attackers can exploit this vulnerability remotely to affect users who access the vulnerable application.

Compliance Impact

The provided information does not specify how the stored cross-site scripting vulnerability in ProjeQtor affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41466. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart