CVE-2026-55741
Received Received - Intake
Cross-Site Request Forgery in Cotonti CMS

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action ('a=update') processes POST data via cot_config_update_options() without calling cot_check_xg() to validate the anti-CSRF token (the 'x' parameter), unlike other admin handlers (e.g. admin.structure.php, admin.cache.php). A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that modifies arbitrary core, module, or plugin configuration options, which can be leveraged to weaken security or enable further compromise.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-55741
EUVD
EUVD-2026-37853
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cotonti cotonti 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-55741 is a Cross-Site Request Forgery (CSRF) vulnerability in Cotonti 1.0.0's administration configuration handler. Specifically, the configuration update action in system/admin/admin.config.php processes POST data without validating the anti-CSRF token, unlike other admin handlers. This means a remote attacker can trick an authenticated administrator into visiting a malicious page that forces the browser to submit a forged request, allowing the attacker to modify arbitrary core, module, or plugin configuration options.

This vulnerability arises from insufficient input validation and sanitization in the configuration management functionality, enabling an attacker with administrative access to perform unauthorized actions or potentially execute arbitrary code by manipulating configuration parameters through crafted requests.

Impact Analysis

This vulnerability can have severe impacts as it allows a remote attacker to modify critical configuration settings of the Cotonti CMS without proper authorization. By exploiting this flaw, an attacker can weaken the security posture of the system or enable further compromise, such as executing arbitrary code or escalating privileges.

Since the attacker can force an authenticated administrator's browser to submit forged requests, the integrity and security of the administration panel and the entire CMS can be compromised, potentially leading to data breaches, service disruption, or unauthorized control over the system.

Detection Guidance

This vulnerability involves the Cotonti CMS administration configuration handler processing POST requests without proper anti-CSRF token validation. Detection can focus on monitoring for suspicious POST requests to the administration configuration update endpoint (system/admin/admin.config.php) that include the action parameter 'a=update' without a valid CSRF token.

You can detect potential exploitation attempts by inspecting web server logs or using network monitoring tools to filter POST requests targeting the admin configuration update URL.

  • Use command-line tools like curl or wget to simulate requests and verify if the endpoint accepts POST requests without CSRF tokens.
  • Example command to test the vulnerable endpoint (replace URL and parameters accordingly):
  • curl -X POST -d 'a=update&[configuration_parameters]' https://your-cotonti-site.com/system/admin/admin.config.php
  • Check web server access logs for POST requests to 'admin.config.php' with 'a=update' parameter lacking a valid CSRF token.
Mitigation Strategies

Immediate mitigation steps include restricting access to the administration configuration update endpoint to trusted administrators only and implementing proper CSRF protection.

Specifically, ensure that the configuration update action validates the anti-CSRF token (the 'x' parameter) before processing POST data, similar to other admin handlers.

If a patch or update is available from the Cotonti project, apply it promptly to fix the missing CSRF token validation.

  • Restrict access to system/admin/admin.config.php via web server configuration or firewall rules.
  • Educate administrators to avoid clicking on suspicious links while authenticated.
  • Monitor logs for unusual POST requests to the vulnerable endpoint.
Compliance Impact

The vulnerability in Cotonti 1.0.0 allows a remote attacker to perform Cross-Site Request Forgery (CSRF) attacks on the administration configuration handler, potentially modifying core, module, or plugin configuration options without proper authorization.

Such unauthorized configuration changes could weaken the security posture of the system, potentially leading to unauthorized access or data breaches.

This could impact compliance with common standards and regulations like GDPR and HIPAA, which require adequate security controls to protect personal and sensitive data from unauthorized access or modification.

Specifically, failure to prevent CSRF attacks and unauthorized configuration changes may violate requirements for maintaining the confidentiality, integrity, and availability of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55741. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart