CVE-2026-41466
Stored XSS in ProjeQtor Security.php Allows Persistent Script Injection
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projeqtor | projeqtor | From 7.0 (inc) to 12.4.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41466 is a stored cross-site scripting (XSS) vulnerability in ProjeQtor versions 7.0 through 12.4.3. It exists in the checkValidHtmlText() function within the Security.php file, which fails to properly sanitize user input. The function only detects specific patterns but returns unsanitized strings without proper output encoding.
Attackers can exploit this by injecting malicious payloads that bypass the filter using alternative HTML syntax, such as img tags with event handlers. These payloads are stored on the server and executed in the browsers of users who view the affected content.
How can this vulnerability impact me? :
This vulnerability allows attackers to inject malicious scripts that are stored and later executed in the browsers of users viewing the affected content. This can lead to unauthorized actions performed on behalf of users, theft of sensitive information such as cookies or session tokens, and potential compromise of user accounts.
Because the attack vector is network-based with low complexity and requires user interaction, attackers can exploit this vulnerability remotely to affect users who access the vulnerable application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the stored cross-site scripting vulnerability in ProjeQtor affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored cross-site scripting (XSS) issue in the checkValidHtmlText() function within Security.php of ProjeQtor versions 7.0 through 12.4.3. Detection typically involves inspecting user input fields and stored content for malicious payloads that use alternative HTML syntax such as img tags with event handlers.
Since the vulnerability involves stored XSS, detection can be done by reviewing the database or application content for suspicious HTML or JavaScript code that bypasses the filter.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating ProjeQtor to a version later than 12.4.3 where this vulnerability is fixed.
If an update is not immediately possible, review and enhance input sanitization and output encoding in the checkValidHtmlText() function or apply web application firewall (WAF) rules to block malicious payloads using alternative HTML syntax such as img tags with event handlers.
Additionally, restrict user privileges to limit the ability to inject malicious content and educate users about the risks of interacting with untrusted content.