CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-58144

mediumCVSS 5.4covered by 1 sourcefirst seen 2026-07-09
Cotonti Siena 0.9.26 and earlier contains a stored cross-site scripting vulnerability that allows authenticated users with PFS access to inject arbitrary script payloads by supplying malicious HTML in the ntitle parameter processed through the TXT filter in pfs.main.php. Attackers can create a folder with a crafted title containing script tags that are stored unescaped in the database and execute in the browser of any user who views the folder listing, including administrators.

⚡ Watch CVE-2026-58144

Get an email if CVE-2026-58144 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-58144

CVE.org record

Embed the live status

CVE-2026-58144 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-58144 status](https://www.csirts.com/badge/CVE-2026-58144)](https://www.csirts.com/cve/CVE-2026-58144)