Description
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action ('a=upload') processes uploaded files without calling cot_check_xg() to validate the anti-CSRF token, even though sibling actions such as 'delete' (line 272) do. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged multipart request that uploads arbitrary files into the victim's PFS storage.
Published: 2026-06-18
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Cotonti 1.0.0 the Personal File Storage module accepts file uploads without validating the anti‑CSRF token, creating a flaw where a forged request can deposit any file into the victim’s storage. The lack of request validation permits an attacker to upload malicious content that may later be accessed, viewed or executed by the authenticated user, threatening confidentiality and integrity.

Affected Systems

All installations of Cotonti 1.0.0 (master branch at commit f43f1fc3) that use the Personal File Storage module are impacted. The vulnerability exists in the file upload action and can affect any site running the affected version of Cotonti.

Risk and Exploitability

With a CVSS score of 8.6 the flaw is considered high severity. The EPSS score of less than 1% indicates a low current exploitation probability, and it is not listed in the CISA KEV catalog. The attack vector requires a remote attacker to lure an authenticated user to a malicious page that submits a forged multipart request; thus it depends on web browsers and user sessions. If exploited, the attacker can strategically place files that may be subsequently used to compromise the victim’s environment.

Generated by OpenCVE AI on June 18, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cotonti to the latest release that includes the CSRF token validation for the upload action or apply the commit that adds cot_check_xg() to the upload handling
  • Disable or restrict the Personal File Storage upload feature until the patch is applied
  • Educate users to avoid visiting untrusted sites or clicking suspicious links that could trigger a forged upload request

Generated by OpenCVE AI on June 18, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action ('a=upload') processes uploaded files without calling cot_check_xg() to validate the anti-CSRF token, even though sibling actions such as 'delete' (line 272) do. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged multipart request that uploads arbitrary files into the victim's PFS storage.
Title Cotonti CSRF in PFS allows forced arbitrary file upload
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-18T12:52:24.875Z

Reserved: 2026-06-17T12:59:17.621Z

Link: CVE-2026-55744

cve-icon Vulnrichment

Updated: 2026-06-18T12:52:20.410Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)