What is GHSA-wx35-cv59-9gwr?

GHSA-wx35-cv59-9gwr is a security advisory published by GitHub Security Advisories with High severity. Cotonti: Cross-Site Request Forgery in the Personal File Storage (PFS) module

Which CVE IDs does GHSA-wx35-cv59-9gwr cover?

GHSA-wx35-cv59-9gwr covers the following CVE IDs: CVE-2026-55744. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-wx35-cv59-9gwr?

GHSA-wx35-cv59-9gwr has a CVSS v3 base score of 8.1, published by GitHub Security Advisories.

Which products are affected by GHSA-wx35-cv59-9gwr?

GHSA-wx35-cv59-9gwr affects 1 product, including: composer/cotonti/cotonti:\u003c= 1.0.0.

GHSA-wx35-cv59-9gwrHighCVSS 8.1

Cotonti: Cross-Site Request Forgery in the Personal File Storage (PFS) module

Vendor

GitHub Security Advisories

Published

June 18, 2026

Last Modified

June 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-55744 →

📋 Description

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action ('a=upload') processes uploaded files without calling cot_check_xg() to validate the anti-CSRF token, even though sibling actions such as 'delete' (line 272) do. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged multipart request that uploads arbitrary files into the victim's PFS storage.

🎯 Affected products1

composer/cotonti/cotonti:<= 1.0.0

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-55744
https://github.com/Cotonti/Cotonti
https://github.com/Cotonti/Cotonti/blob/f43f1fc38ba4e02027786dad9dac1435c7c52b30/modules/pfs/inc/pfs.main.php#L118
https://github.com/advisories/GHSA-wx35-cv59-9gwr