CVE Catalog

CVE-2026-55745

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

Cotonti version 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. The folder update action ('a=update') does not validate the anti-CSRF token, allowing for modification of folder metadata through a forged request.

Risk Assessment

An attacker can lure an authenticated user into visiting a malicious page, enabling unauthorized changes to folder metadata, including making a private folder public. This poses a risk of compromising user data privacy.

Recommendation

It is recommended to update Cotonti to the latest version that implements proper anti-CSRF token validation in the PFS module. Additionally, consider implementing further security measures to mitigate CSRF attack risks.

Original NVD description (English source)

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action ('a=update') updates folder metadata (title, description, public/gallery flags) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged request that modifies the victim's folder metadata, including making a private folder public.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS