CVE-2026-58143
Cotonti Siena 0.9.26 CSRF via admin.php Config Update Endpoint
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS 8.7EPSS 0.2%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
09 Jul 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Cotonti Siena 0.9.26 and earlier contains a cross-site request forgery vulnerability that allows unauthenticated attackers to modify administrator configuration by tricking a logged-in administrator into submitting a forged POST request to the admin.php config update handler, which never invokes the application's CSRF validation function. Attackers can disable the PFS module's file extension whitelist by setting pfsfilecheck to 0, enabling any user with PFS access to upload and execute arbitrary PHP files on the server.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Cotonti · Cotontipublic PoCs found — 1
cve_referencegist.github.com/sermikr0/75686815e441c07462cfdea2fed5d305unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.