CVE-2026-55746 | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable… | CVSS 7.6 HIGH

Description

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so an authenticated user can store HTML/JavaScript in a folder title. In modules/pfs/inc/pfs.main.php the title is assigned to the template variable PFF_ROW_TITLE without htmlspecialchars(), and modules/pfs/tpl/pfs.tpl outputs {PFF_ROW_TITLE} unescaped. When the folder listing is viewed (including by other users for public folders), the injected script executes in the victim's browser.

Metadata

CVE ID: CVE-2026-55746
State: PUBLISHED
Assigner: TuranSec
Reserved: 2026-06-17 12:59 UTC
Published: 2026-06-18 06:46 UTC
Last updated: 2026-06-18 12:32 UTC
Primary CWE: CWE-79
CWE-79 Improper Neutralization of Input During Web Page Gene…
Vendor / Product: Cotonti / Cotonti
Sources: cve.org · NVD

Severity & Metrics

7.6 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Cotonti	Cotonti	—	1.0.0

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (2)

Score	Severity	Version	Source	Vector
7.6	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
7.0	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

References (2)

Vulnerable code: modules/pfs/inc/pfs.main.php https://github.com/Cotonti/Cotonti/blob/f43f1fc38ba4e02027786dad9dac1435c7c52b30/modules/pfs/inc/pfs.main.php#L396
https://github.com/Cotonti/Cotonti