Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered CSRF requires passive user interaction (UI:R); attacker needs no privileges; integrity impact is folder metadata only; confidentiality impact reflects indirect exposure of files in a newly-public folder.
Primary rating from Vendor (TuranSec).
CVSS VectorVendor: TuranSec
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action ('a=update') updates folder metadata (title, description, public/gallery flags) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged request that modifies the victim's folder metadata, including making a private folder public.
AnalysisAI
Cross-site request forgery in Cotonti 1.0.0's Personal File Storage module allows remote attackers to hijack authenticated user sessions to silently modify folder metadata. The folder update action ('a=update') in modules/pfs/inc/pfs.editfolder.php processes state-changing requests without invoking Cotonti's built-in anti-CSRF token validation function cot_check_xg(), enabling an attacker to force a logged-in user to unknowingly expose private folders or alter their descriptions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must be authenticated to a Cotonti instance that has the PFS (Personal File Storage) module enabled - this module is not guaranteed to be active in all deployments, which limits the exploitable population. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 scores this at 5.4 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a hidden HTML form on a malicious webpage that auto-submits a POST request to the victim's Cotonti instance, targeting the PFS module's folder update endpoint with parameters that set the public flag to true on a specific folder ID. The attacker delivers a phishing link to a Cotonti user who is currently authenticated, and when that user's browser loads the malicious page, it silently submits the forged request, causing the victim's private folder - and any files within it - to become publicly accessible without any indication to the victim. … |
| Remediation | No vendor-released patched version has been identified from the available data - the provided references link only to the vulnerable source file and the upstream GitHub repository, not to a fix commit, advisory, or tagged release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37856
GHSA-hp3v-wp32-953h