PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55746 Cotonti CVE debrief

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML. This allows an authenticated user to store HTML/JavaScript in a folder title. The title is then assigned to the template variable PFF_ROW_TITLE without htmlspecialchars() in modules/pfs/inc/pfs.main.php. When the folder listing is viewed, including by other users for public folders, the injected script executes in the victim's browser. This vulnerability has a high impact on confidentiality, integrity, and availability.

Vendor
Cotonti
Product
Unknown
CVSS
HIGH 7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-22
Advisory published
2026-06-18
Advisory updated
2026-06-22

Who should care

Users of Cotonti 1.0.0, particularly those with access to the Personal File Storage (PFS) module, should be aware of this vulnerability. System administrators and security teams responsible for Cotonti deployments should prioritize patching or mitigating this vulnerability to prevent potential attacks.

Technical summary

The vulnerability exists in the Personal File Storage (PFS) module of Cotonti 1.0.0. A folder title is imported with the 'TXT' filter, which does not strip or encode HTML. This allows an authenticated user to store HTML/JavaScript in a folder title. The title is then assigned to the template variable PFF_ROW_TITLE without htmlspecialchars() in modules/pfs/inc/pfs.main.php. When the folder listing is viewed, including by other users for public folders, the injected script executes in the victim's browser.

Defensive priority

High priority should be given to updating or patching Cotonti 1.0.0 to prevent exploitation of this vulnerability.

Recommended defensive actions

  • Update Cotonti to the latest version or apply patches to fix the vulnerability
  • Implement input validation and output encoding for user-supplied data
  • Monitor for suspicious activity in the Personal File Storage (PFS) module
  • Restrict access to the PFS module to authorized users only
  • Regularly review and update user permissions and access controls
  • Perform a thorough review of the system for potential compromises
  • Consider implementing additional security measures such as Web Application Firewalls (WAFs)

Evidence notes

The CVE record was published on 2026-06-18T08:16:34.453Z and was last modified on 2026-06-22T19:49:09.490Z. The NVD entry is currently Deferred. Evidence is limited to public sources and may not reflect the full scope or impact of this vulnerability. Defenders should verify affected deployments and review official advisories for specific guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T08:16:34.453Z and has not been modified since then. The NVD entry is currently Deferred.