PatchSiren cyber security CVE debrief
CVE-2026-55746 Cotonti CVE debrief
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML. This allows an authenticated user to store HTML/JavaScript in a folder title. The title is then assigned to the template variable PFF_ROW_TITLE without htmlspecialchars() in modules/pfs/inc/pfs.main.php. When the folder listing is viewed, including by other users for public folders, the injected script executes in the victim's browser. This vulnerability has a high impact on confidentiality, integrity, and availability.
- Vendor
- Cotonti
- Product
- Unknown
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-18
- Original CVE updated
- 2026-06-22
- Advisory published
- 2026-06-18
- Advisory updated
- 2026-06-22
Who should care
Users of Cotonti 1.0.0, particularly those with access to the Personal File Storage (PFS) module, should be aware of this vulnerability. System administrators and security teams responsible for Cotonti deployments should prioritize patching or mitigating this vulnerability to prevent potential attacks.
Technical summary
The vulnerability exists in the Personal File Storage (PFS) module of Cotonti 1.0.0. A folder title is imported with the 'TXT' filter, which does not strip or encode HTML. This allows an authenticated user to store HTML/JavaScript in a folder title. The title is then assigned to the template variable PFF_ROW_TITLE without htmlspecialchars() in modules/pfs/inc/pfs.main.php. When the folder listing is viewed, including by other users for public folders, the injected script executes in the victim's browser.
Defensive priority
High priority should be given to updating or patching Cotonti 1.0.0 to prevent exploitation of this vulnerability.
Recommended defensive actions
- Update Cotonti to the latest version or apply patches to fix the vulnerability
- Implement input validation and output encoding for user-supplied data
- Monitor for suspicious activity in the Personal File Storage (PFS) module
- Restrict access to the PFS module to authorized users only
- Regularly review and update user permissions and access controls
- Perform a thorough review of the system for potential compromises
- Consider implementing additional security measures such as Web Application Firewalls (WAFs)
Evidence notes
The CVE record was published on 2026-06-18T08:16:34.453Z and was last modified on 2026-06-22T19:49:09.490Z. The NVD entry is currently Deferred. Evidence is limited to public sources and may not reflect the full scope or impact of this vulnerability. Defenders should verify affected deployments and review official advisories for specific guidance.
Official resources
-
CVE-2026-55746 CVE record
CVE.org
-
CVE-2026-55746 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
-
Source reference
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T08:16:34.453Z and has not been modified since then. The NVD entry is currently Deferred.