What is GHSA-hp3v-wp32-953h?

GHSA-hp3v-wp32-953h is a security advisory published by GitHub Security Advisories with Medium severity. Cotonti: Cross-Site Request Forgery in the Personal File Storage (PFS) module

Which CVE IDs does GHSA-hp3v-wp32-953h cover?

GHSA-hp3v-wp32-953h covers the following CVE IDs: CVE-2026-55745. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-hp3v-wp32-953h?

GHSA-hp3v-wp32-953h has a CVSS v3 base score of 5.4, published by GitHub Security Advisories.

Which products are affected by GHSA-hp3v-wp32-953h?

GHSA-hp3v-wp32-953h affects 1 product, including: composer/cotonti/cotonti:\u003c= 1.0.0.

GHSA-hp3v-wp32-953hMediumCVSS 5.4

Cotonti: Cross-Site Request Forgery in the Personal File Storage (PFS) module

Vendor

GitHub Security Advisories

Published

June 18, 2026

Last Modified

June 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-55745 →

📋 Description

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action ('a=update') updates folder metadata (title, description, public/gallery flags) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged request that modifies the victim's folder metadata, including making a private folder public.

🎯 Affected products1

composer/cotonti/cotonti:<= 1.0.0

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-55745
https://github.com/Cotonti/Cotonti
https://github.com/Cotonti/Cotonti/blob/f43f1fc38ba4e02027786dad9dac1435c7c52b30/modules/pfs/inc/pfs.editfolder.php#L90
https://github.com/advisories/GHSA-hp3v-wp32-953h