Description
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as img tags with event handlers, which are stored and executed in the browsers of users viewing the affected content.
Published: 2026-04-27
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Patch
AI Analysis

Impact

ProjeQtor versions 7.0 through 12.4.3 contain a stored cross‑site scripting flaw in the checkValidHtmlText() function within Security.php. The function attempts to sanitize user input but only detects specific patterns and returns the string unescaped, allowing attackers to inject malicious HTML content such as img tags with event handlers. When a user opens a page that displays the stored content, the browser executes the injected code, enabling the attacker to alter the appearance of the application or run arbitrary scripts in the victim’s browser.

Affected Systems

Affected are installations of the ProjeQtor web application running any version from 7.0 up to, but not including, 12.4.4. This includes both the Community Edition and Enterprise Edition released by the ProjeQtor project.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium impact. Because the vulnerability is stored, an attacker only needs to submit a crafted payload via any input field that accepts HTML, which is then persisted and later rendered for any user with sufficient access to view the content. Although an EPSS score is not available and the issue is not listed in the CISA KEV catalog, the flaw remains exploitable by anyone who can interact with the application’s input regardless of authentication level.

Generated by OpenCVE AI on April 28, 2026 at 13:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ProjeQtor to version 12.4.4 or later, which includes a fixed sanitization routine in Security.php.
  • If an upgrade is not available, immediately disable or remove any input fields that allow HTML content and enforce strict server‑side sanitization that fully escapes or removes disallowed tags and attributes.
  • Deploy a browser‑side Content Security Policy that blocks script execution from untrusted sources to reduce impact if an XSS payload does manage to be stored.

Generated by OpenCVE AI on April 28, 2026 at 13:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Projeqtor
Projeqtor projeqtor
Vendors & Products Projeqtor
Projeqtor projeqtor

Mon, 27 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as img tags with event handlers, which are stored and executed in the browsers of users viewing the affected content.
Title ProjeQtor < 12.4.4 Stored XSS via checkValidHtmlText()
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Projeqtor Projeqtor
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T02:09:50.261Z

Reserved: 2026-04-20T16:07:47.311Z

Link: CVE-2026-41466

cve-icon Vulnrichment

Updated: 2026-04-27T15:47:04.986Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T16:16:45.937

Modified: 2026-04-27T18:35:53.583

Link: CVE-2026-41466

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:15:31Z

Weaknesses