Description
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName() function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the image upload or attachment endpoints, and any user accessing the uploaded file URL will execute the embedded JavaScript in their browser.
Published: 2026-04-27
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting allowing arbitrary JavaScript execution in victims' browsers
Action: Apply Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in ProjeQtor’s file upload functions, where the checkValidFileName() routine does not block .html or .htm files. Authenticated attackers can place scripts inside these files and upload them through image or attachment endpoints. Any user who later opens the file URL will have the embedded JavaScript run in their browser, potentially stealing data or hijacking session state.

Affected Systems

The vulnerability affects ProjeQtor versions 7.0 through 12.4.3. All installations running these releases are susceptible, regardless of operating system or deployment environment.

Risk and Exploitability

The CVSS score of 5.1 classifies this as moderately severe. Because the flaw requires authentication and file upload capability, the attack surface is limited to authenticated users. No public exploit code is known, and the vulnerability is not listed in the CISA KEV catalog; its EPSS score is currently unavailable.

Generated by OpenCVE AI on April 28, 2026 at 04:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ProjeQtor 12.4.4 or later, which removes the flaw in checkValidFileName()
  • If upgrading is not possible, block uploads of files with .html or .htm extensions and reject them before storage
  • Configure the web server to serve uploaded files with safe MIME types and enable content‑type sniffing protection to prevent script execution

Generated by OpenCVE AI on April 28, 2026 at 04:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Projeqtor
Projeqtor projeqtor
Vendors & Products Projeqtor
Projeqtor projeqtor

Mon, 27 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName() function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the image upload or attachment endpoints, and any user accessing the uploaded file URL will execute the embedded JavaScript in their browser.
Title ProjeQtor < 12.4.4 Stored XSS via checkValidFileName()
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Projeqtor Projeqtor
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T02:09:51.100Z

Reserved: 2026-04-20T16:07:47.311Z

Link: CVE-2026-41467

cve-icon Vulnrichment

Updated: 2026-04-27T19:15:13.035Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T16:16:46.137

Modified: 2026-04-27T18:35:53.583

Link: CVE-2026-41467

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:30:21Z

Weaknesses