Description
Cotonti Siena 0.9.26 and earlier contains a stored cross-site scripting vulnerability that allows authenticated users with PFS access to inject arbitrary script payloads by supplying malicious HTML in the ntitle parameter processed through the TXT filter in pfs.main.php. Attackers can create a folder with a crafted title containing script tags that are stored unescaped in the database and execute in the browser of any user who views the folder listing, including administrators.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 10 Jul 2026 00:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Cotonti
Cotonti cotonti |
|
| Vendors & Products |
Cotonti
Cotonti cotonti |
Thu, 09 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Cotonti Siena 0.9.26 and earlier contains a stored cross-site scripting vulnerability that allows authenticated users with PFS access to inject arbitrary script payloads by supplying malicious HTML in the ntitle parameter processed through the TXT filter in pfs.main.php. Attackers can create a folder with a crafted title containing script tags that are stored unescaped in the database and execute in the browser of any user who views the folder listing, including administrators. | |
| Title | Cotonti Siena 0.9.26 Stored XSS via PFS Module ntitle Parameter | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-09T22:07:11.370Z
Reserved: 2026-06-29T14:13:18.385Z
Link: CVE-2026-58144
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-09T23:45:03Z
Weaknesses
-
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')