Home

Description

ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as img tags with event handlers, which are stored and executed in the browsers of users viewing the affected content.

PUBLISHED Reserved 2026-04-20 | Published 2026-04-27 | Updated 2026-04-27 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

7.0 (semver)
affected

12.4.4 (semver)
unaffected

Credits

Yassine Damiri finder

Noé Susset finder

References

damiri.fr/en/cves/CVE-2026-41466 technical-description exploit

gryfman.fr/cves/CVE-2026-41466 technical-description exploit

www.projeqtor.com product

www.vulncheck.com/...eqtor-stored-xss-via-checkvalidhtmltext third-party-advisory

cve.org (CVE-2026-41466)

nvd.nist.gov (CVE-2026-41466)

Download JSON