CVE-2026-55745: Cotonti PFS Module CSRF Vulnerability

CVE-2026-55745 Overview

CVE-2026-55745 is a Cross-Site Request Forgery (CSRF) vulnerability in Cotonti 1.0.0 (master branch, commit f43f1fc3). The flaw resides in the Personal File Storage (PFS) module, specifically the folder update action in modules/pfs/inc/pfs.editfolder.php. The a=update action modifies folder metadata without invoking cot_check_xg() to validate the anti-CSRF token. An attacker who lures an authenticated user to a malicious page can force the victim's browser to submit a forged request. The forged request alters folder title, description, and public/gallery flags, including converting private folders to public. The issue is tracked as CWE-352.

Critical Impact
A remote attacker can modify an authenticated user's PFS folder metadata and expose private folders publicly through a single forged request.

Affected Products

Cotonti 1.0.0 (master branch)
Commit f43f1fc38ba4e02027786dad9dac1435c7c52b30
Personal File Storage (PFS) module — modules/pfs/inc/pfs.editfolder.php

Discovery Timeline

2026-06-18 - CVE-2026-55745 published to NVD
2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-55745

Vulnerability Analysis

The vulnerability stems from missing CSRF protection in the PFS folder update handler. Cotonti provides a built-in anti-CSRF mechanism through the cot_check_xg() function, which validates a token (x parameter) tied to the user's session. The a=update action path in pfs.editfolder.php processes incoming folder metadata changes without calling this validation routine. Any state-changing request that arrives with valid session cookies is therefore accepted regardless of origin.

The affected parameters include the folder title, description, and visibility flags that control public exposure and gallery inclusion. A forged request can flip a private folder to public, which exposes previously restricted file listings to anonymous visitors of the site.

EPSS data places the probability of exploitation at 0.116% with a percentile of 1.879.

Root Cause

The root cause is a missing authenticity check on a state-changing HTTP request. The folder update branch does not invoke cot_check_xg() before mutating database records. Cotonti's framework expects developers to call this function on every write action, and the omission breaks the assumed security contract for the PFS module.

Attack Vector

Exploitation requires an authenticated victim and user interaction. The attacker hosts a page containing an auto-submitting HTML form or image tag that targets the Cotonti PFS update endpoint. When the victim loads the malicious page, the browser attaches session cookies and submits the forged request. The server executes the update because no token validation occurs. The attacker cannot read the response but achieves the intended state change. See the vulnerable code on GitHub for the affected handler.

Detection Methods for CVE-2026-55745

Indicators of Compromise

Unexpected changes to PFS folder titles, descriptions, or ispublic/isgallery flags in the cot_pfs database table.
HTTP POST requests to pfs.php with a=update arriving with Referer or Origin headers pointing to third-party domains.
Private folders transitioning to public state without a corresponding administrative action in audit logs.

Detection Strategies

Review web server access logs for pfs.php?m=edit&a=update requests with cross-origin Referer values.
Compare folder metadata snapshots against backups to identify unauthorized visibility changes.
Query the database for recently modified PFS folder records and correlate with user activity timelines.

Monitoring Recommendations

Alert on PFS folder visibility changes from private to public outside of normal user workflows.
Monitor for sudden bursts of folder update requests originating from a single authenticated session.
Track HTTP requests missing the expected anti-CSRF x token parameter on PFS endpoints.

How to Mitigate CVE-2026-55745

Immediate Actions Required

Apply CSRF token validation to the a=update branch in modules/pfs/inc/pfs.editfolder.php by adding a cot_check_xg() call before the database update.
Audit all PFS folders for unexpected ispublic flag changes and restore private status where appropriate.
Restrict access to the PFS module for untrusted user groups until the patch is applied.

Patch Information

No official vendor advisory or patched release is listed in the NVD entry at the time of publication. Administrators should monitor the Cotonti GitHub repository for upstream commits that add cot_check_xg() to the folder update handler.

Workarounds

Instruct authenticated users to log out of the Cotonti site before browsing untrusted external content.
Deploy a web application firewall rule that rejects PFS update POST requests lacking a valid x token or with a cross-origin Referer.
Enforce SameSite=Strict or SameSite=Lax attributes on Cotonti session cookies to block cross-site cookie attachment.

bash

# Example WAF rule snippet (ModSecurity) to block PFS update without token
SecRule REQUEST_URI "@contains pfs.php" \
  "chain,phase:2,deny,status:403,id:1055745,msg:'CVE-2026-55745 CSRF block'"
  SecRule ARGS:a "@streq update" "chain"
  SecRule &ARGS:x "@eq 0"