Description
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so an authenticated user can store HTML/JavaScript in a folder title. In modules/pfs/inc/pfs.main.php the title is assigned to the template variable PFF_ROW_TITLE without htmlspecialchars(), and modules/pfs/tpl/pfs.tpl outputs {PFF_ROW_TITLE} unescaped. When the folder listing is viewed (including by other users for public folders), the injected script executes in the victim's browser.
Published: 2026-06-18
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user to embed arbitrary HTML or JavaScript into a Personal File Storage folder title. Because Cotonti imports the title with the 'TXT' filter and later renders it unescaped, the script runs when the folder listing is viewed. An attacker can steal session cookies, deface the site, or redirect users through malicious URLs from any user who views the exposed folder.

Affected Systems

Affected systems are Cotonti CMS version 1.0.0 (master branch), identified by commit f43f1fc3. Any instance that uses the Personal File Storage module and has public or shared folders is vulnerable. The flaw resides in modules/pfs/inc/pfs.main.php at line 396 and the associated template output.

Risk and Exploitability

The CVSS score of 7 indicates a high severity, while the EPSS score of less than 1% suggests a very low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires an authenticated web user; once an attacker stores malicious content, the script affects any other user who views the folder, thereby extending the impact beyond the originator.

Generated by OpenCVE AI on June 18, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patch that sanitizes PFS folder titles before storing or outputting them.
  • If upgrading is not immediately possible, disable the Personal File Storage module or restrict its use to non‑public folders.
  • Apply server‑side filtering to escape or strip HTML tags from folder titles before rendering them in templates.

Generated by OpenCVE AI on June 18, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so an authenticated user can store HTML/JavaScript in a folder title. In modules/pfs/inc/pfs.main.php the title is assigned to the template variable PFF_ROW_TITLE without htmlspecialchars(), and modules/pfs/tpl/pfs.tpl outputs {PFF_ROW_TITLE} unescaped. When the folder listing is viewed (including by other users for public folders), the injected script executes in the victim's browser.
Title Cotonti stored XSS via PFS folder title
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-18T12:32:08.737Z

Reserved: 2026-06-17T12:59:17.621Z

Link: CVE-2026-55746

cve-icon Vulnrichment

Updated: 2026-06-18T12:32:01.317Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')