Executive Summary

CVE-2026-41467 is a stored cross-site scripting (XSS) vulnerability affecting ProjeQtor versions 7.0 through 12.4.3. It occurs because the checkValidFileName() function in the file upload feature does not properly restrict the upload of HTML and HTM files.

Authenticated attackers can upload HTML files containing arbitrary JavaScript code through image upload or attachment endpoints. When any user accesses the URL of the uploaded malicious file, the embedded JavaScript executes in their browser.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized actions or data compromise because the malicious JavaScript embedded in the uploaded HTML files executes in the browsers of users who access those files.

Since the attack requires an authenticated attacker to upload the malicious file and user interaction to trigger the script, it can still result in medium severity impacts such as session hijacking, data theft, or manipulation of user actions within the affected application.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying whether HTML or HTM files have been uploaded through the file upload functionality of ProjeQtor versions 7.0 through 12.4.3, especially via image upload or attachment endpoints.

Since the vulnerability allows authenticated attackers to upload HTML files containing arbitrary JavaScript, one approach is to scan the upload directories or database entries for files with .html or .htm extensions that should not normally be present.

Commands to detect such files on a Linux-based system might include:

• find /path/to/projeqtor/uploads -type f \( -iname "*.html" -o -iname "*.htm" \)
• grep -r --include=*.html '<script' /path/to/projeqtor/uploads
• Review web server logs for requests to uploaded HTML/HTM files that could indicate exploitation attempts.

Note that detection requires authenticated access to the system or logs, as the vulnerability involves authenticated attackers uploading malicious files.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the upload of HTML and HTM files through the file upload functionality in ProjeQtor versions 7.0 through 12.4.3.

Administrators should:

• Implement strict validation on uploaded file types to block HTML and HTM files.
• Review and remove any existing uploaded HTML or HTM files that could contain malicious scripts.
• Limit user privileges to reduce the risk of authenticated attackers uploading malicious files.
• Educate users to avoid clicking on suspicious uploaded file URLs.

Long-term mitigation involves applying patches or updates from the ProjeQtor project that address this vulnerability once available.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated attackers to upload malicious HTML files containing arbitrary JavaScript, which executes in the browsers of users who access the uploaded files. This can lead to unauthorized actions or data compromise.

Such unauthorized data access or compromise could potentially impact compliance with common standards and regulations like GDPR or HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly describe the direct impact on compliance with these standards.

Useful 0 Not Useful 0