CVE-2026-55741
Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-352
Falsificación de petición en sitios cruzados (Cross-Site Request Forgery)
Fecha de publicación:
18/06/2026
Última modificación:
22/06/2026
Descripción
*** Pendiente de traducción *** Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action ('a=update') processes POST data via cot_config_update_options() without calling cot_check_xg() to validate the anti-CSRF token (the 'x' parameter), unlike other admin handlers (e.g. admin.structure.php, admin.cache.php). A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that modifies arbitrary core, module, or plugin configuration options, which can be leveraged to weaken security or enable further compromise.
Impacto
Puntuación base 4.0
8.70
Gravedad 4.0
ALTA
Puntuación base 3.x
8.80
Gravedad 3.x
ALTA



