CVE-2026-55746

HIGH 7.6

Cotonti stored XSS via PFS folder title

CVSS Score

7.6

EPSS Score

0.0%

EPSS Percentile

0th

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so an authenticated user can store HTML/JavaScript in a folder title. In modules/pfs/inc/pfs.main.php the title is assigned to the template variable PFF_ROW_TITLE without htmlspecialchars(), and modules/pfs/tpl/pfs.tpl outputs {PFF_ROW_TITLE} unescaped. When the folder listing is viewed (including by other users for public folders), the injected script executes in the victim's browser.

CWE	CWE-79
Vendor	cotonti
Product	cotonti
Published	Jun 18, 2026

Stay Ahead of the Next One

Get instant alerts for cotonti cotonti

Be the first to know when new high vulnerabilities affecting cotonti cotonti are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

Cotonti / Cotonti

1.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Cotonti/Cotonti/blob/f43f1fc38ba4e02027786dad9dac1435c7c52b30/modules/pfs/inc/pfs.main.php#L396 github.com: https://github.com/Cotonti/Cotonti

Credits

Saidakbarxon Maxsudxonov (sermikro), Innova Networks