Home

Description

Cotonti Siena 0.9.26 and earlier contains a cross-site request forgery vulnerability that allows unauthenticated attackers to modify administrator configuration by tricking a logged-in administrator into submitting a forged POST request to the admin.php config update handler, which never invokes the application's CSRF validation function. Attackers can disable the PFS module's file extension whitelist by setting pfsfilecheck to 0, enabling any user with PFS access to upload and execute arbitrary PHP files on the server.

PUBLISHED Reserved 2026-06-29 | Published 2026-07-09 | Updated 2026-07-09 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

Cross-Site Request Forgery (CSRF)

Product status

Default status
affected

Any version
affected

Credits

Saidakbarxon Maxsudxonov finder

References

gist.github.com/sermikr0/75686815e441c07462cfdea2fed5d305 (Researcher Disclosure) technical-description exploit

www.vulncheck.com/...rf-via-admin-php-config-update-endpoint third-party-advisory

cve.org (CVE-2026-58143)

nvd.nist.gov (CVE-2026-58143)

Download JSON