CVE-2026-41467
published 2026-04-27CVE-2026-41467: ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName()…
PriorityP429medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.18%
7.8th percentile
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName() function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the image upload or attachment endpoints, and any user accessing the uploaded file URL will execute the embedded JavaScript in their browser.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| projeqtor | projeqtor | 7.0 – 12.4.3 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ProjeQtor up to 12.4.3 File checkValidFileName cross site scripting
vuldb·2026-04-27·CVSS 5.1
CVE-2026-41467 [MEDIUM] ProjeQtor up to 12.4.3 File checkValidFileName cross site scripting
A vulnerability identified as problematic has been detected in ProjeQtor up to 12.4.3. Impacted is the function checkValidFileName of the component File Handler. The manipulation leads to cross site scripting.
This vulnerability is uniquely identified as CVE-2026-41467. The attack is possible to be carried out remotely. No exploit exists.
You should upgrade the affected component.
GHSA
GHSA-g3mv-hfmp-474q: ProjeQtor versions 7
ghsa_unreviewed·2026-04-27
CVE-2026-41467 [MEDIUM] CWE-79 GHSA-g3mv-hfmp-474q: ProjeQtor versions 7
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName() function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the image upload or attachment endpoints, and any user accessing the uploaded file URL will execute the embedded JavaScript in their browser.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-27
Published