GHSA-86hp-hf3j-3m8r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-86hp-hf3j-3m8r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-86hp-hf3j-3m8r/GHSA-86hp-hf3j-3m8r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-86hp-hf3j-3m8r
- Aliases
-
- CVE-2026-55746
- Published
- 2026-06-18T12:40:26Z
- Modified
- 2026-06-19T15:00:15.393971429Z
- Severity
-
- 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N CVSS Calculator
- 7.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Cotonti: Stored Cross-Site Scripting in the Personal File Storage (PFS) module
- Details
-
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pfftitle) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cotimport is disabled), so an authenticated user can store HTML/JavaScript in a folder title. In modules/pfs/inc/pfs.main.php the title is assigned to the template variable PFFROWTITLE without htmlspecialchars(), and modules/pfs/tpl/pfs.tpl outputs {PFFROWTITLE} unescaped. When the folder listing is viewed (including by other users for public folders), the injected script executes in the victim's browser.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-06-19T14:52:31Z", "nvd_published_at": "2026-06-18T08:16:34Z", "severity": "HIGH", "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Packagist / cotonti/cotonti
Package
- Name
- cotonti/cotonti
- Purl
- pkg:composer/cotonti%2Fcotonti