What is GHSA-86hp-hf3j-3m8r?

GHSA-86hp-hf3j-3m8r is a security advisory published by GitHub Security Advisories with High severity. Cotonti: Stored Cross-Site Scripting in the Personal File Storage (PFS) module

Which CVE IDs does GHSA-86hp-hf3j-3m8r cover?

GHSA-86hp-hf3j-3m8r covers the following CVE IDs: CVE-2026-55746. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-86hp-hf3j-3m8r?

GHSA-86hp-hf3j-3m8r has a CVSS v3 base score of 7.6, published by GitHub Security Advisories.

Which products are affected by GHSA-86hp-hf3j-3m8r?

GHSA-86hp-hf3j-3m8r affects 1 product, including: composer/cotonti/cotonti:\u003c= 1.0.0.

GHSA-86hp-hf3j-3m8rHighCVSS 7.6

Cotonti: Stored Cross-Site Scripting in the Personal File Storage (PFS) module

Vendor

GitHub Security Advisories

Published

June 18, 2026

Last Modified

June 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-55746 →

📋 Description

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so an authenticated user can store HTML/JavaScript in a folder title. In modules/pfs/inc/pfs.main.php the title is assigned to the template variable PFF_ROW_TITLE without htmlspecialchars(), and modules/pfs/tpl/pfs.tpl outputs {PFF_ROW_TITLE} unescaped. When the folder listing is viewed (including by other users for public folders), the injected script executes in the victim's browser.

🎯 Affected products1

composer/cotonti/cotonti:<= 1.0.0

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-55746
https://github.com/Cotonti/Cotonti
https://github.com/Cotonti/Cotonti/blob/f43f1fc38ba4e02027786dad9dac1435c7c52b30/modules/pfs/inc/pfs.main.php#L396
https://github.com/advisories/GHSA-86hp-hf3j-3m8r