Cross-Site Request Forgery Vulnerability in Cotonti Siena by Cotonti
CVE-2026-58143

8.7HIGH

Key Information:

Vendor

Cotonti

Status
Vendor
CVE Published:
9 July 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-58143?

Cotonti Siena versions 0.9.26 and earlier are susceptible to a Cross-Site Request Forgery vulnerability that poses serious implications for the security of administrator configurations. This flaw allows unauthenticated attackers to exploit the application by tricking a logged-in administrator into submitting a forged POST request directed at the admin.php config update handler. Notably, the application fails to invoke CSRF validation upon this action, which can result in the modification of sensitive configuration settings. Exploiters can disable the PFS module's file extension whitelist, thereby enabling any user with PFS access to upload and execute arbitrary PHP files on the server. This vulnerability emphasizes the importance of implementing robust CSRF protection measures to safeguard administrative functions.

Affected Version(s)

Cotonti 0 <= 0.9.26

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Saidakbarxon Maxsudxonov
.