CVE-2026-55746: Cotonti PFS Module XSS Vulnerability

CVE-2026-55746 Overview

CVE-2026-55746 is a stored Cross-Site Scripting (XSS) vulnerability in Cotonti 1.0.0 (master branch, commit f43f1fc3). The flaw resides in the Personal File Storage (PFS) module, where a folder title field (pff_title) is imported with the TXT filter. The filter neither strips nor encodes HTML because the tag check inside cot_import is disabled. An authenticated user can persist arbitrary HTML or JavaScript in a folder title, and the payload executes in any victim's browser that loads the folder listing, including other users viewing public folders. The issue is classified under CWE-79.

Critical Impact
Authenticated attackers can store JavaScript payloads that execute in other users' browsers, enabling session hijacking, account takeover, and unauthorized actions in the application context.

Affected Products

Cotonti 1.0.0 (master branch, commit f43f1fc38ba4e02027786dad9dac1435c7c52b30)
Cotonti Personal File Storage (PFS) module
Files affected: modules/pfs/inc/pfs.main.php and modules/pfs/tpl/pfs.tpl

Discovery Timeline

2026-06-18 - CVE-2026-55746 published to NVD
2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-55746

Vulnerability Analysis

The vulnerability stems from improper handling of user-supplied folder titles in the PFS module. When a folder is created or renamed, Cotonti reads pff_title through cot_import using the TXT filter. The TXT filter is intended for plain text input, but in this code path the internal tag-stripping check is disabled. As a result, raw HTML and JavaScript characters survive intact and reach persistent storage.

Downstream rendering compounds the issue. In modules/pfs/inc/pfs.main.php, the stored title is assigned to the template variable PFF_ROW_TITLE without passing through htmlspecialchars(). The template file modules/pfs/tpl/pfs.tpl then outputs {PFF_ROW_TITLE} unescaped. Any visitor rendering the folder listing executes the attacker's script in their browser session.

Root Cause

The root cause is a combination of disabled input filtering and missing output encoding. The TXT filter in cot_import is documented to handle plain text, but the tag check is bypassed for this field. No encoding is applied at either the storage step or the rendering step, violating defense-in-depth principles for untrusted input. See the vulnerable code in pfs.main.php for the unescaped assignment.

Attack Vector

An authenticated user with permission to create PFS folders submits a folder title containing an HTML script payload. The payload is stored in the database without sanitization. Any subsequent user viewing the folder listing, including unauthenticated visitors when the folder is public, triggers script execution in their browser. The attacker can then exfiltrate session cookies, perform CSRF-style actions, or redirect users to attacker-controlled hosts.

No verified proof-of-concept code is published. Refer to the Cotonti GitHub repository and the linked source file for the exact code path.

Detection Methods for CVE-2026-55746

Indicators of Compromise

PFS folder titles in the database containing HTML tags such as <script>, <img onerror=>, or <svg onload=>.
Outbound HTTP requests from end-user browsers to unknown domains immediately after loading a Cotonti PFS folder listing page.
Unexpected JavaScript execution or DOM modifications on the /pfs.php listing view.
Anomalous session token usage originating from administrator or moderator accounts that recently viewed a public PFS folder.

Detection Strategies

Run targeted SQL queries against the PFS folder table to identify pff_title values containing <, >, script, or on*= event handler patterns.
Deploy Content Security Policy (CSP) violation reporting to flag inline script execution on PFS pages.
Inspect web server access logs for POST requests to PFS folder creation or edit endpoints containing URL-encoded HTML markup in the pff_title parameter.

Monitoring Recommendations

Monitor authentication events for sessions that view PFS pages followed by unusual privilege actions, which can indicate session theft via XSS.
Alert on creation of public PFS folders by recently registered or low-reputation accounts.
Forward web application logs to a centralized analytics platform and apply rules that detect HTML tag patterns in stored content fields.

How to Mitigate CVE-2026-55746

Immediate Actions Required

Audit existing pff_title values in the database and sanitize or remove entries containing HTML markup.
Restrict PFS folder creation permissions to trusted users until a patched build is deployed.
Apply a temporary web application firewall rule that blocks HTML tag characters in the pff_title parameter on PFS endpoints.
Inform users with elevated privileges to avoid browsing untrusted public PFS folders until remediation is complete.

Patch Information

No official patch reference is recorded in the NVD entry at the time of publication. Monitor the Cotonti GitHub repository for upstream commits that add htmlspecialchars() to the PFF_ROW_TITLE assignment in modules/pfs/inc/pfs.main.php and enforce tag stripping in the import filter for pff_title.

Workarounds

Modify modules/pfs/inc/pfs.main.php locally to wrap the title assignment with htmlspecialchars($title, ENT_QUOTES, 'UTF-8') before it reaches PFF_ROW_TITLE.
Replace the TXT filter on pff_title with a stricter filter that enforces tag removal, or post-process the input with strip_tags().
Disable public visibility of PFS folders site-wide until the code fix is in place.
Add a strict Content Security Policy that forbids inline script execution to reduce exploitability while a patch is prepared.

bash

# Example CSP header to mitigate inline script execution on Cotonti pages
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'"