CVE-2026-41466

low-risk

Published 2026-04-27

ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as img tags with event handlers, which are stored and executed in the browsers of users viewing the affected content.

Do I need to act?

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

References (4)

https://damiri.fr/en/cves/CVE-2026-41466

https://gryfman.fr/cves/CVE-2026-41466

https://www.projeqtor.com

https://www.vulncheck.com/advisories/projeqtor-stored-xss-via-checkvalidhtmltext

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal