CVE-2026-41466 Overview
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting (XSS) vulnerability in the checkValidHtmlText() function within Security.php. The function fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as <img> tags with event handlers, which are stored and executed in the browsers of users viewing the affected content.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in the context of other users' browser sessions, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims.
Affected Products
- ProjeQtor versions 7.0 through 12.4.3
- All installations using the vulnerable checkValidHtmlText() function in Security.php
Discovery Timeline
- 2026-04-27 - CVE-2026-41466 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-41466
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) stems from inadequate input validation in ProjeQtor's security filtering mechanism. The checkValidHtmlText() function in Security.php implements a pattern-based blocklist approach to detect potentially malicious HTML content. However, the function's implementation is fundamentally flawed because it only checks for specific attack patterns while returning the original unsanitized input when no matches are found.
The core issue is that the function lacks proper output encoding and relies on an incomplete blocklist that can be trivially bypassed. When an attacker submits HTML content containing JavaScript payloads using patterns not explicitly blocked—such as <img src=x onerror=...> constructs—the malicious content passes through the validation function unmodified and is stored in the database.
Root Cause
The root cause is the improper implementation of input sanitization in checkValidHtmlText(). The function uses a pattern-matching approach that only detects certain known malicious patterns but fails to implement a proper allowlist-based sanitization or output encoding strategy. When the filter does not match any known patterns, it returns the original string without any modification or encoding, allowing alternative XSS vectors to bypass the security control entirely.
Attack Vector
The attack is network-based and requires low privileges (authenticated user) along with user interaction from the victim. An authenticated attacker crafts a malicious payload using HTML tags and event handlers that are not covered by the blocklist filter. The attacker then submits this payload through any user input field that processes content via checkValidHtmlText(). The malicious content is stored in the application database without proper sanitization. When other users—including administrators—view the affected content, the JavaScript payload executes in their browser context, potentially allowing the attacker to steal session cookies, perform actions as the victim, or redirect users to malicious sites.
The vulnerability can be exploited by using alternative XSS syntax that bypasses the pattern-based detection. For example, <img> tags with onerror event handlers or other HTML elements with JavaScript event attributes may not be detected by the incomplete blocklist, allowing the payload to be stored and executed.
Detection Methods for CVE-2026-41466
Indicators of Compromise
- Unexpected HTML tags with JavaScript event handlers (e.g., onerror, onload, onmouseover) appearing in stored content fields
- Presence of encoded or obfuscated script content in database records that should only contain plain text or safe HTML
- User reports of unexpected browser behavior, redirects, or pop-ups when viewing ProjeQtor content
- Anomalous session activity or unauthorized actions that suggest session hijacking
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect common XSS patterns in requests to ProjeQtor
- Deploy content security policy (CSP) headers with strict script-src directives and monitor for CSP violation reports
- Perform regular database audits scanning for suspicious HTML patterns in user-submitted content fields
- Enable detailed access logging and review for unusual patterns of content submission followed by viewing by other users
Monitoring Recommendations
- Configure real-time alerting for CSP violation reports that may indicate attempted XSS exploitation
- Monitor application logs for unusual patterns of content creation and viewing that could suggest an active attack campaign
- Implement browser-side monitoring to detect unexpected script execution or DOM manipulation
- Review user activity logs for accounts that frequently update content fields that are later viewed by high-privilege users
How to Mitigate CVE-2026-41466
Immediate Actions Required
- Upgrade ProjeQtor to the latest version if a security patch has been released by the vendor
- Implement additional input validation and output encoding at the application level as a defense-in-depth measure
- Deploy a Web Application Firewall (WAF) with XSS protection rules in front of ProjeQtor instances
- Audit existing stored content for malicious payloads and sanitize or remove any identified threats
- Implement strict Content Security Policy (CSP) headers to mitigate the impact of successful XSS attacks
Patch Information
Consult the ProjeQtor Project Page for the latest security updates and patches. Additional technical details about this vulnerability can be found in the VulnCheck ProjeQtor XSS Advisory and independent security research published at Damiri CVE-2026-41466 and Gryfman CVE-2026-41466.
Workarounds
- Deploy a reverse proxy with XSS filtering capabilities to intercept and sanitize potentially malicious requests
- Implement server-side output encoding for all user-submitted content before rendering in HTML contexts
- Restrict user permissions to limit who can create or modify content that is displayed to other users
- Configure Content Security Policy headers with strict policies to prevent inline script execution
# Example Content-Security-Policy header configuration for Apache
# Add to .htaccess or virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
