CVE-2026-55745 Cotonti CVE debrief

Who should care

System administrators and users of Cotonti 1.0.0, especially those with authenticated access to the Personal File Storage (PFS) module, should be aware of this vulnerability. Web application security teams and developers using Cotonti should prioritize patching or mitigating this issue to prevent potential unauthorized access and data manipulation.

Technical summary

The vulnerability exists in the modules/pfs/inc/pfs.editfolder.php file, specifically in the folder update action ('a=update'). The update process does not call cot_check_xg() to validate the anti-CSRF token, making it susceptible to CSRF attacks. An attacker can lure an authenticated user into visiting a malicious page, causing the browser to submit a forged request that modifies folder metadata without the user's consent. This could lead to unauthorized changes, such as making a private folder public.

Defensive priority

High

Recommended defensive actions

• Apply the official patch or update to the latest version of Cotonti as soon as available.
• Implement additional CSRF protection measures for the PFS module until an official fix is applied.
• Educate users about the risks of clicking on suspicious links or visiting untrusted websites while authenticated to the Cotonti application.
• Monitor PFS module activity for any unauthorized changes to folder metadata.
• Consider temporarily disabling the PFS module or restricting access to it until the vulnerability is resolved.
• Regularly review and update Cotonti to ensure the latest security patches are applied.

Evidence notes

The vulnerability information was obtained from the National Vulnerability Database (NVD) and the CVE.org record. The affected code is located in the modules/pfs/inc/pfs.editfolder.php file of the Cotonti 1.0.0 application. The CWE-352 weakness is associated with this vulnerability, indicating Cross-Site Request Forgery.

Official resources