Cross-Site Request Forgery in Cotonti's Personal File Storage Module
CVE-2026-55745

5.3MEDIUM

Key Information:

Vendor: Cotonti
Status: Cotonti
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-55745?

Cotonti 1.0.0 has a vulnerability in its Personal File Storage (PFS) module that exposes users to Cross-Site Request Forgery attacks. The flaw occurs in the pfs.editfolder.php file when the 'a=update' action is executed, as it updates folder metadata without validating the anti-CSRF token. This allows a remote attacker to craft a malicious page that can trick an authenticated user into submitting a forged request, enabling unauthorized modifications to the folder's metadata, including the risk of making private folders publicly accessible.

Affected Version(s)

Cotonti 1.0.0

References

https://github.com/Cotonti/Cotonti/blob/f43f1fc38ba4e0202...

technical-description

https://github.com/Cotonti/Cotonti

product

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 17, 2026

Credit

Saidakbarxon Maxsudxonov (sermikro), Innova Networks

CVE-2026-55745 Data

JSON