CVE-2026-55742

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action 'a=update' modifies group access rights including via cotauthaddgroup without calling cotcheckxg to validate th...

CVE-2026-55745

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the Personal File Storage PFS module. In modules/pfs/inc/pfs.editfolder.php, the folder update action 'a=update' updates folder metadata title, description, public/gallery flags without calling cotcheckxg ...

CVE-2026-55741

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action 'a=update' processes POST data via cotconfigupdateoptions without calling cotcheckxg to validate...

CVE-2026-55746 Cotonti stored XSS via PFS folder title

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to stored Cross-Site Scripting in the Personal File Storage PFS module. A folder title pfftitle is imported with the 'TXT' filter, which does not strip or encode HTML the tag check in cotimport is disabled, so an authenticated user can...

EUVD-2026-37858

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to stored Cross-Site Scripting in the Personal File Storage PFS module. A folder title pfftitle is imported with the 'TXT' filter, which does not strip or encode HTML the tag check in cotimport is disabled, so an authenticated user can...

CVE-2026-55746

Cotonti 1.0.0 (master, f43f1fc3) is affected by a stored XSS in the Personal File Storage (PFS) module. A folder title field (pff_title) is imported with the TXT filter, which does not strip/encode HTML because the tag check in cot_import is disabled. The title is assigned to the template variabl...

EUVD-2026-37856

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the Personal File Storage PFS module. In modules/pfs/inc/pfs.editfolder.php, the folder update action 'a=update' updates folder metadata title, description, public/gallery flags without calling cotcheckxg ...

CVE-2026-55745

CVE-2026-55745 affects Cotonti 1.0.0 (master, commit f43f1fc3) in the Personal File Storage (PFS) module. The vulnerability arises in modules/pfs/inc/pfs.editfolder.php, where the folder update action (a=update) updates metadata (title, description, public/gallery flags) without calling cot_check...

CVE-2026-55745 Cotonti CSRF in PFS folder edit allows unauthorized folder modification

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the Personal File Storage PFS module. In modules/pfs/inc/pfs.editfolder.php, the folder update action 'a=update' updates folder metadata title, description, public/gallery flags without calling cotcheckxg ...

CVE-2026-55744

Cotonti 1.0.0 (master, commit f43f1fc3) is vulnerable to CSRF in Personal File Storage (PFS). The file upload action (a=upload) in modules/pfs/inc/pfs.main.php does not call cot_check_xg() to validate the anti-CSRF token, unlike the delete action. A remote attacker could lure an authenticated use...

EUVD-2026-37855

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the Personal File Storage PFS module. In modules/pfs/inc/pfs.main.php, the file upload action 'a=upload' processes uploaded files without calling cotcheckxg to validate the anti-CSRF token, even though...

CVE-2026-55744 Cotonti CSRF in PFS allows forced arbitrary file upload

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the Personal File Storage PFS module. In modules/pfs/inc/pfs.main.php, the file upload action 'a=upload' processes uploaded files without calling cotcheckxg to validate the anti-CSRF token, even though...

EUVD-2026-37854

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action 'a=update' modifies group access rights including via cotauthaddgroup without calling cotcheckxg to validate th...

CVE-2026-55742 Cotonti CSRF in admin.rights.php allows privilege escalation

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action 'a=update' modifies group access rights including via cotauthaddgroup without calling cotcheckxg to validate th...

CVE-2026-55742

Cotonti 1.0.0 (master, commit f43f1fc3) is vulnerable to CSRF in system/admin/admin.rights.php while performing the update action (a=update). The code path updates group access rights (including via cot_auth_add_group) without calling cot_check_xg() to validate an anti-CSRF token. A remote attack...

CVE-2026-55741

Cotonti 1.0.0 (master, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the admin configuration handler. The vulnerability occurs in system/admin/admin.config.php where the update action (a=update) processes POST data via cot_config_update_options() without calling cot_check_xg() t...

CVE-2026-55741 Cotonti CSRF in admin.config.php allows unauthorized configuration changes

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action 'a=update' processes POST data via cotconfigupdateoptions without calling cotcheckxg to validate...

CVE-2021-47808

Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page...

CVE-2021-47808

Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page...

CVE-2021-47808

Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page...