CVE-2026-55744
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
Cotonti version 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. The file upload action ('a=upload') does not validate the anti-CSRF token, allowing a remote attacker to upload arbitrary files to the victim's PFS storage.
Risk Assessment
An attacker can exploit this vulnerability to upload malicious files to the victim's file storage, potentially leading to further attacks or data leakage.
Recommendation
It is recommended to implement anti-CSRF token validation in the file upload action and to update Cotonti to the latest version to mitigate the risk.
Original NVD description (English source)
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action ('a=upload') processes uploaded files without calling cot_check_xg() to validate the anti-CSRF token, even though sibling actions such as 'delete' (line 272) do. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged multipart request that uploads arbitrary files into the victim's PFS storage.

