PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58144 Cotonti CVE debrief

CVE-2026-58144 is a stored cross-site scripting vulnerability in Cotonti Siena 0.9.26 and earlier. The vulnerability allows authenticated users with PFS access to inject arbitrary script payloads by supplying malicious HTML in the ntitle parameter processed through the TXT filter in pfs.main.php. Attackers can create a folder with a crafted title containing script tags that are stored unescaped in the database and execute in the browser of any user who views the folder listing, including administrators. This issue has a medium priority due to its CVSS score of 5.1.

Vendor
Cotonti
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of Cotonti Siena 0.9.26 and earlier should apply patches or mitigations to prevent exploitation of this stored cross-site scripting vulnerability. Affected operators, platforms, vulnerability-management teams, and security teams should prioritize this issue due to its potential impact on user data and system security.

Technical summary

The vulnerability exists in the pfs.main.php file of Cotonti Siena 0.9.26 and earlier, where the ntitle parameter is processed through the TXT filter without proper escaping. This allows authenticated users with PFS access to inject malicious HTML, including script tags, which are stored in the database and executed in the browser of users who view the folder listing. The vulnerability has a CVSS score of 5.1 and is classified as MEDIUM severity.

Defensive priority

Medium priority due to the CVSS score of 5.1 and the potential for exploitation by authenticated users.

Recommended defensive actions

  • Apply patches or updates to Cotonti Siena to address the vulnerability
  • Implement input validation and output encoding for user-supplied data
  • Monitor for suspicious activity and implement compensating controls
  • Consider disabling PFS access for users who do not require it
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-09T22:17:09.817Z and last modified on 2026-07-10T14:16:54.480Z. The NVD entry is currently in the 'Received' status. Evidence is limited to CVE and NVD data. Defenders should verify product deployments, review official advisories, and plan updates or mitigations. Monitoring and compensating controls are recommended while remediation is scheduled.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T22:17:09.817Z and has not been modified since then. The NVD entry is currently Received.