CVE-2026-41466
published 2026-04-27CVE-2026-41466: ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.18%
8.1th percentile
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as img tags with event handlers, which are stored and executed in the browsers of users viewing the affected content.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| projeqtor | projeqtor | 7.0 – 12.4.3 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8pgv-76j9-qj4g: ProjeQtor versions 7
ghsa_unreviewed·2026-04-27
CVE-2026-41466 [MEDIUM] CWE-79 GHSA-8pgv-76j9-qj4g: ProjeQtor versions 7
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as img tags with event handlers, which are stored and executed in the browsers of users viewing the affected content.
VulDB
ProjeQtor up to 12.4.3 Security.php checkValidHtmlText cross site scripting
vuldb·2026-04-27·CVSS 5.1
CVE-2026-41466 [MEDIUM] ProjeQtor up to 12.4.3 Security.php checkValidHtmlText cross site scripting
A vulnerability was found in ProjeQtor up to 12.4.3 and classified as problematic. Affected by this vulnerability is the function checkValidHtmlText of the file Security.php. The manipulation results in cross site scripting.
This vulnerability is reported as CVE-2026-41466. The attack can be launched remotely. No exploit exists.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-27
Published