CVE-2026-55741
Severity CVSS v4.0:
HIGH
Type:
CWE-352
Cross-Site Request Forgery (CSRF)
Publication date:
18/06/2026
Last modified:
22/06/2026
Description
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action ('a=update') processes POST data via cot_config_update_options() without calling cot_check_xg() to validate the anti-CSRF token (the 'x' parameter), unlike other admin handlers (e.g. admin.structure.php, admin.cache.php). A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that modifies arbitrary core, module, or plugin configuration options, which can be leveraged to weaken security or enable further compromise.
Impact
Base Score 4.0
8.70
Severity 4.0
HIGH
Base Score 3.x
8.80
Severity 3.x
HIGH



