CVE-2026-58144
Deferred Deferred - Pending Action

Stored XSS in Cotonti Siena via PFS Folder Title

Vulnerability report for CVE-2026-58144, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Cotonti Siena 0.9.26 and earlier contains a stored cross-site scripting vulnerability that allows authenticated users with PFS access to inject arbitrary script payloads by supplying malicious HTML in the ntitle parameter processed through the TXT filter in pfs.main.php. Attackers can create a folder with a crafted title containing script tags that are stored unescaped in the database and execute in the browser of any user who views the folder listing, including administrators.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cotonti siena to 0.9.26 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in Cotonti Siena version 0.9.26 and earlier. It allows authenticated users with PFS access to inject malicious script code by submitting crafted HTML in the 'ntitle' parameter, which is processed through the TXT filter in the pfs.main.php file.

Specifically, attackers can create a folder with a title containing script tags that are stored without proper escaping in the database. When any user, including administrators, views the folder listing, the malicious script executes in their browser.

Impact Analysis

This vulnerability can lead to the execution of arbitrary scripts in the browsers of users who view the affected folder listings. This can result in unauthorized actions such as session hijacking, defacement, or theft of sensitive information.

Since the malicious scripts execute in the context of the affected website, attackers could potentially perform actions on behalf of legitimate users, including administrators, leading to further compromise of the system.

Compliance Impact

This stored cross-site scripting (XSS) vulnerability in Cotonti Siena allows attackers to execute arbitrary scripts in the browsers of users, including administrators. Such exploitation can lead to theft of session cookies and unauthorized access to user accounts or sensitive information.

From a compliance perspective, this vulnerability can impact adherence to standards like GDPR and HIPAA because it may lead to unauthorized disclosure or compromise of personal or protected health information. Failure to protect against such vulnerabilities could result in violations of data protection requirements, potentially leading to legal and regulatory consequences.

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious script tags in folder titles within the Personal File Space (PFS) module of Cotonti Siena 0.9.26 and earlier. Since the vulnerability involves stored cross-site scripting via the ntitle parameter, inspecting the database entries for folder titles containing unescaped HTML or JavaScript code is a key detection method.

Additionally, monitoring HTTP traffic for suspicious payloads in requests that create or modify folder titles in the PFS module can help identify exploitation attempts.

Suggested commands include querying the database to find folder titles with script tags or suspicious HTML. For example, if using MySQL, a command like the following can be used:

  • SELECT * FROM pfs_folders WHERE ntitle LIKE '%<script>%';

Also, web application scanning tools or custom scripts can be used to automate detection by attempting to inject script payloads into the ntitle parameter and observing if they are stored and rendered unescaped.

Mitigation Strategies

Immediate mitigation steps include restricting or disabling authenticated user access to the Personal File Space (PFS) module to prevent attackers from creating folders with malicious titles.

Another important step is to manually sanitize or remove any folder titles containing suspicious or malicious script tags from the database.

Since the vendor has not released a fix, applying a custom patch to properly escape or filter HTML tags in the ntitle parameter before storing or rendering is recommended.

Additionally, educating users and administrators to avoid clicking on suspicious folder listings and monitoring for unusual activity can help reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58144. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart