CVE-2026-41467 MEDIUM

CVE-2026-41467: ProjeQtor < 12.4.4 Stored XSS via checkValidFileName()

Vendor Projeqtor
Product ProjeQtor
Weakness CWE-79 · XSS
Published April 27, 2026
Last update May 14, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName() function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the image upload or attachment endpoints, and any user accessing the uploaded file URL will execute the embedded JavaScript in their browser.

Key dates

02Disclosure timeline

April 27, 2026 CVE published
May 14, 2026 Record updated