Stored Cross-Site Scripting Vulnerability in ProjeQtor by ProjeQtor
CVE-2026-41467

5.1MEDIUM

Key Information:

Vendor: Projeqtor
Status: Projeqtor
Vendor: CVE Published:; 27 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-41467?

ProjeQtor versions from 7.0 to 12.4.3 feature a stored cross-site scripting vulnerability that arises from inadequate restrictions on file uploads. Specifically, the checkValidFileName() function allows authenticated users to upload HTML files containing malicious JavaScript. As a result, users accessing the URLs of these uploaded files unknowingly execute the embedded scripts in their browsers, potentially leading to a wide range of exploit scenarios such as data theft, session hijacking, or unauthorized actions.

Affected Version(s)

ProjeQtor 7.0 <= 12.4.3

ProjeQtor 12.4.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-41467 - Proof of Concept

References

https://damiri.fr/en/cves/CVE-2026-41467

technical-descriptionexploit

https://gryfman.fr/cves/CVE-2026-41467

technical-descriptionexploit

https://www.projeqtor.com

product

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 27, 2026
👾
Exploit known to exist
Apr 27, 2026
Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Yassine Damiri

Noé Susset

CVE-2026-41467 Data

JSON

Projeqtor

Badges

What is CVE-2026-41467?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit