CVE-2026-41467

Root

Cause

The stored cross-site scripting vulnerability in ProjeQtor arises from insufficient validation in the checkValidFileName() function within Security.php. This function only blocks .php and .htaccess file extensions but permits .html and .htm files, and it does not inspect file content for malicious scripts [2][3]. As a result, an authenticated attacker can upload an HTML file containing arbitrary JavaScript through endpoints such as /tool/uploadImage.php or /tool/saveAttachment.php.

Attack

Vector

Exploitation requires low-privilege authentication and user interaction. The attacker uploads a crafted HTML file; any user who accesses the uploaded file's URL will execute the embedded JavaScript in their browser context [2]. The attack is remote, with no special network position required.

Impact

Successful exploitation allows the attacker to perform actions in the victim's session, including session hijacking, data theft, and defacement. The scope is changed because the script executes in the victim's browser, not the application's origin [2][3].

Mitigation

The vulnerability is fixed in ProjeQtor version 12.4.4 [3]. Users running versions 7.0 through 12.4.3 should upgrade immediately. No official workaround is documented; restricting file uploads to trusted users may reduce risk but does not eliminate it.