CVE-2026-41466 MEDIUM

CVE-2026-41466: ProjeQtor < 12.4.4 Stored XSS via checkValidHtmlText()

Vendor Projeqtor
Product ProjeQtor
Weakness CWE-79 · XSS
Published April 27, 2026
Last update May 14, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as img tags with event handlers, which are stored and executed in the browsers of users viewing the affected content.

Key dates

02Disclosure timeline

April 27, 2026 CVE published
May 14, 2026 Record updated