VYPR
← All advisories
Medium severity5.4NVD Advisory· Published Apr 27, 2026· Updated Apr 27, 2026

CVE-2026-41466

CVE-2026-41466

Description

ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as img tags with event handlers, which are stored and executed in the browsers of users viewing the affected content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ProjeQtor versions 7.0 to 12.4.3 are vulnerable to stored XSS via insufficient input sanitization in checkValidHtmlText(), allowing arbitrary JavaScript execution.

Root

Cause The stored cross-site scripting vulnerability resides in the checkValidHtmlText() function in Security.php. Instead of properly sanitizing user input, the function employs regex checks for patterns like ` and a limited set of event attributes, but returns the original unsanitized string without output encoding [2][3]. This allows attackers to bypass the filter using alternative syntax such as ` [2].

Exploitation

An attacker with low authentication privileges can inject malicious content, for example in search fields or comments [2]. The payload is stored and later executed when other users view the affected page, requiring only that a victim loads the malicious content [2][3].

Impact

Successful exploitation enables arbitrary JavaScript execution in the victim's browser, potentially leading to session hijacking, unauthorized actions, or redirection to malicious sites [2][3]. The CVSS v3 score (5.4) reflects the medium severity and changed scope [3].

Mitigation

The vulnerability affects ProjeQtor versions 7.0 through 12.4.3. Users should upgrade to version 12.4.4 or later, which contains a fix [3].

References
  1. Stored XSS via checkValidHtmlText()
  2. ProjeQtor < 12.4.4 Stored XSS via checkValidHtmlText()

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.