CVE-2026-55744 Cotonti CVE debrief

Who should care

Administrators and users of Cotonti 1.0.0, especially those using the Personal File Storage (PFS) module, should be aware of this vulnerability. Web application security teams and developers using Cotonti should prioritize patching this vulnerability to prevent potential attacks.

Technical summary

The vulnerability exists in the file upload action ('a=upload') of modules/pfs/inc/pfs.main.php. Unlike sibling actions such as 'delete', this action does not call cot_check_xg() to validate the anti-CSRF token. This omission allows an attacker to craft a malicious page that, when visited by an authenticated user, forces their browser to submit a forged request uploading arbitrary files to the victim's PFS storage.

Defensive priority

High

Recommended defensive actions

• Apply the official patch or update to a fixed version of Cotonti as soon as available.
• Implement additional CSRF protections for file upload actions in Cotonti's PFS module.
• Restrict access to the PFS module to only trusted users and networks.
• Monitor PFS module activity for suspicious file uploads.
• Educate users about the risks of visiting malicious pages while authenticated to Cotonti.
• Consider using a Web Application Firewall (WAF) to detect and block CSRF attacks.

Evidence notes

The vulnerability is confirmed in Cotonti 1.0.0 (master branch, commit f43f1fc3). The issue is located in modules/pfs/inc/pfs.main.php, specifically in the file upload action. The CVSS score of 8.6 indicates high severity. References to the vulnerable code and Cotonti repository are provided.

Official resources