CVE Catalog

CVE-2026-55746

HighCVSS 7.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile — higher than 7% of all known CVEs

Summary

Cotonti 1.0.0 is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. An authenticated user can store HTML/JavaScript in a folder title, leading to the execution of the injected script in other users' browsers.

Risk Assessment

An attacker can exploit this vulnerability to execute malicious code in users' browsers, potentially leading to data theft or session hijacking.

Recommendation

It is recommended to implement proper filtering and encoding of input data in the folder title to prevent the injection of malicious code.

Original NVD description (English source)

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so an authenticated user can store HTML/JavaScript in a folder title. In modules/pfs/inc/pfs.main.php the title is assigned to the template variable PFF_ROW_TITLE without htmlspecialchars(), and modules/pfs/tpl/pfs.tpl outputs {PFF_ROW_TITLE} unescaped. When the folder listing is viewed (including by other users for public folders), the injected script executes in the victim's browser.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS