CVE-2026-55746 - Cotonti stored XSS via PFS folder title
CVE ID : CVE-2026-55746
Published : June 18, 2026, 6:46 a.m. | 55 minutes ago
Description : Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (...
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so an authenticated user can store HTML/JavaScript …
