CVE-2026-55746
HighCVSS 7.6Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
Cotonti 1.0.0 is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. An authenticated user can store HTML/JavaScript in a folder title, leading to the execution of the injected script in other users' browsers.
Risk Assessment
An attacker can exploit this vulnerability to execute malicious code in users' browsers, potentially leading to data theft or session hijacking.
Recommendation
It is recommended to implement proper filtering and encoding of input data in the folder title to prevent the injection of malicious code.
Original NVD description (English source)
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so an authenticated user can store HTML/JavaScript in a folder title. In modules/pfs/inc/pfs.main.php the title is assigned to the template variable PFF_ROW_TITLE without htmlspecialchars(), and modules/pfs/tpl/pfs.tpl outputs {PFF_ROW_TITLE} unescaped. When the folder listing is viewed (including by other users for public folders), the injected script executes in the victim's browser.

