CVE-2026-41467

MEDIUM 5.4

ProjeQtor < 12.4.4 Stored XSS via checkValidFileName()

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName() function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the image upload or attachment endpoints, and any user accessing the uploaded file URL will execute the embedded JavaScript in their browser.

CWE	CWE-79
Vendor	projeqtor
Product	projeqtor
Published	Apr 27, 2026

Stay Ahead of the Next One

Get instant alerts for projeqtor projeqtor

Be the first to know when new medium vulnerabilities affecting projeqtor projeqtor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

ProjeQtor / ProjeQtor

7.0 ≤ 12.4.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

damiri.fr: https://damiri.fr/en/cves/CVE-2026-41467 gryfman.fr: https://gryfman.fr/cves/CVE-2026-41467 projeqtor.com: https://www.projeqtor.com vulncheck.com: https://www.vulncheck.com/advisories/projeqtor-stored-xss-via-checkvalidfilename

Credits

Yassine Damiri Noé Susset