Cross-Site Request Forgery Vulnerability in Cotonti Admin Rights Handler
CVE-2026-55742

9.4CRITICAL

Key Information:

Vendor: Cotonti
Status: Cotonti
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-55742?

The Cotonti platform version 1.0.0 contains a vulnerability in the administration rights handler that allows for a Cross-Site Request Forgery (CSRF) attack. Specifically, in the system/admin/admin.rights.php file, the rights update action lacks the necessary checks to validate anti-CSRF tokens, enabling attackers to forge requests. By enticing an authenticated administrator to a malicious page, an attacker can exploit this vulnerability to manipulate group access rights, potentially granting elevated permissions to malicious actors. Given that Cotonti administrators have the authority to alter templates and configurations, this security flaw may also lead to remote code execution, significantly compromising the integrity and security of the system.

Affected Version(s)

Cotonti 1.0.0

References

https://github.com/Cotonti/Cotonti/blob/f43f1fc38ba4e0202...

technical-description

https://github.com/Cotonti/Cotonti

product

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 17, 2026

Credit

Saidakbarxon Maxsudxonov (sermikro), Innova Networks

CVE-2026-55742 Data

JSON