CVE-2026-41467 Overview
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting (XSS) vulnerability in the file upload functionality. The checkValidFileName() function fails to restrict HTML and HTM file uploads, allowing authenticated attackers to upload malicious HTML files containing arbitrary JavaScript through the image upload or attachment endpoints. Any user accessing the uploaded file URL will execute the embedded JavaScript in their browser, potentially leading to session hijacking, credential theft, or other client-side attacks.
Critical Impact
Authenticated attackers can persistently inject malicious JavaScript that executes in the context of other users' sessions, potentially compromising user credentials and session tokens across the ProjeQtor application.
Affected Products
- ProjeQtor version 7.0
- ProjeQtor versions 7.0 through 12.4.3
- ProjeQtor version 12.4.3 and earlier
Discovery Timeline
- 2026-04-27 - CVE CVE-2026-41467 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-41467
Vulnerability Analysis
This stored cross-site scripting vulnerability exists in ProjeQtor's file upload handling mechanism. The core issue lies in the checkValidFileName() function, which is responsible for validating uploaded file types but fails to properly restrict HTML and HTM file extensions. This oversight allows authenticated users to upload HTML files containing malicious JavaScript code through legitimate upload endpoints such as image uploads or file attachments.
When a victim user navigates to or is directed to the URL of the uploaded malicious HTML file, their browser renders the HTML content and executes any embedded JavaScript within the security context of the ProjeQtor application. This execution happens with the victim's session privileges, enabling the attacker to perform actions on behalf of the victim, steal session cookies, capture keystrokes, or redirect users to phishing pages.
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which encompasses cross-site scripting weaknesses. The attack requires network access and authentication to the ProjeQtor application, along with some user interaction to trigger the payload execution.
Root Cause
The root cause is insufficient file type validation in the checkValidFileName() function. This function does not include HTML or HTM in its list of restricted file extensions, allowing these potentially dangerous file types to be uploaded to the server. Proper file upload validation should implement an allowlist approach, restricting uploads to only explicitly permitted and safe file types, rather than relying on a blocklist that may omit dangerous extensions.
Attack Vector
The attack follows a stored XSS pattern requiring authenticated access to the ProjeQtor application. An authenticated attacker first crafts an HTML file containing malicious JavaScript payload, such as code to exfiltrate session cookies or perform CSRF attacks. The attacker then uploads this file through one of ProjeQtor's file upload endpoints, such as the image upload feature or attachment functionality.
Once uploaded, the malicious file is stored on the server and assigned a URL. The attacker can then distribute this URL to other users through various means—embedding it in project comments, sending it via ProjeQtor's messaging features, or through external channels. When a victim user accesses the URL, their browser renders the HTML file and executes the embedded JavaScript with full access to the victim's session context.
Detection Methods for CVE-2026-41467
Indicators of Compromise
- HTML or HTM files appearing in ProjeQtor upload directories such as /files/attach/ or /files/images/
- Web server access logs showing requests to .html or .htm files within ProjeQtor's upload paths
- Unexpected JavaScript execution or browser alerts when accessing uploaded files
- User reports of suspicious behavior or redirects when viewing attachments
Detection Strategies
- Implement file system monitoring to alert on HTML/HTM files created in ProjeQtor upload directories
- Configure web application firewall (WAF) rules to detect and block requests to HTML files in upload paths
- Review web server access logs for patterns indicating access to uploaded HTML files
- Enable Content Security Policy (CSP) headers to mitigate JavaScript execution from uploaded content
Monitoring Recommendations
- Monitor authentication logs for unusual patterns following access to uploaded files
- Implement real-time alerting for HTML file uploads through ProjeQtor's file handling endpoints
- Track user session activity for anomalous behavior that may indicate session hijacking
- Regularly audit uploaded files for potentially malicious content
How to Mitigate CVE-2026-41467
Immediate Actions Required
- Upgrade ProjeQtor to a version newer than 12.4.3 that includes the security fix
- Audit existing uploaded files for HTML/HTM content and remove any suspicious files
- Implement additional server-side validation to block HTML file uploads
- Configure web server to serve uploaded files with Content-Disposition: attachment header to prevent browser rendering
Patch Information
Organizations should upgrade to the latest ProjeQtor version that addresses this vulnerability. The fix involves updating the checkValidFileName() function to include HTML and HTM in the list of restricted file extensions. For detailed patch information, refer to the VulnCheck ProjeQtor XSS Advisory and the ProjeQtor Official Website.
Additional technical details can be found at the Damiri CVE-2026-41467 Entry and Gryfman CVE-2026-41467 Entry.
Workarounds
- Configure the web server to deny access to .html and .htm files within ProjeQtor's upload directories
- Implement a custom upload validation script that blocks HTML file uploads at the web server level
- Use .htaccess rules (Apache) or location blocks (Nginx) to prevent serving HTML content from upload directories
- Deploy a web application firewall rule to intercept and block HTML file uploads to ProjeQtor endpoints
# Apache .htaccess workaround for upload directory
# Add to ProjeQtor's files/attach/.htaccess
<FilesMatch "\.(html|htm)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Alternative: Force download instead of rendering
<FilesMatch "\.(html|htm)$">
Header set Content-Disposition attachment
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
