CVE-2026-55746

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot import is disabled), so an authenticated user can store HTML/JavaScript in a folder title. In modules/pfs/inc/pfs.main.php the title is assigned to the template variable PFF ROW TITLE without htmlspecialchars(), and modules/pfs/tpl/pfs.tpl outputs {PFF ROW TITLE} unescaped. When the folder listing is viewed (including by other users for public folders), the injected script executes in the victim's browser.