CVE-2026-41467

Name of the Vulnerable Software and Affected Versions ProjeQtor versions 7.0 through 12.4.3

Description A stored cross-site scripting issue exists in the file upload functionality. The checkValidFileName() function fails to restrict the upload of HTML and HTM files. Authenticated attackers can upload files containing arbitrary JavaScript through the image upload or attachment endpoints. When a user accesses the URL of the uploaded file, the embedded JavaScript executes within their browser.

Recommendations Update to version 12.4.4 or later. As a temporary workaround, restrict the use of the checkValidFileName() function or the image upload and attachment endpoints to minimize the risk of exploitation.