CVE-2026-58143 - Cotonti Siena 0.9.26 and earlier contains a cross-site request forgery vulnerability that allows una...
A Cross-Site Request Forgery (CSRF) vulnerability in Cotonti Siena versions 0.9.26 and earlier allows unauthenticated attackers to modify administrator configuration by tricking a logged-in administrator into submitting a forged POST request, enabling the upload and execution of arbitrary PHP files leading to remote code execution.
CVE-2026-58143 details a critical Cross-Site Request Forgery (CSRF) vulnerability affecting Cotonti Siena content management system versions 0.9.26 and earlier. This vulnerability allows an unauthenticated attacker to exploit a flaw in the admin.php configuration update handler, which neglects to invoke the application's CSRF validation function. By crafting a malicious web page or link, the attacker can trick a logged-in administrator into submitting a forged POST request. The primary impact of this action is the ability to disable the PFS module's file extension whitelist (pfsfilecheck parameter), setting it to 0. This modification subsequently allows any user with PFS access to upload and execute arbitrary PHP files on the server, potentially leading to full remote code execution and compromise of the Cotonti Siena installation. The vulnerability was published on 2026-07-09, affecting a widely used open-source CMS.
Attack Chain
- Craft Malicious Request: An unauthenticated attacker crafts a malicious web page containing a forged POST request targeting the
admin.phpconfiguration update handler on the vulnerable Cotonti Siena instance. The request specifically includes the parameterpfsfilecheck=0to disable the PFS module's file extension whitelist. - Social Engineering: The attacker employs social engineering techniques (e.g., phishing, watering hole attack) to trick a legitimate, logged-in administrator of the Cotonti Siena instance into visiting the malicious web page or clicking a malicious link.
- Forged Request Execution: The administrator's browser, being logged into Cotonti Siena, automatically executes the forged POST request to
admin.phpin the background when the malicious page is loaded. - Configuration Modification: The vulnerable Cotonti Siena application processes the incoming POST request to
admin.phpwithout performing adequate CSRF token validation, accepting the forged request as legitimate. Thepfsfilechecksetting is updated to0in the application's configuration. - Arbitrary File Upload Enabled: With the
pfsfilecheckwhitelist disabled, the Cotonti Siena PFS module no longer restricts file uploads based on extension. This allows the attacker, or any user with PFS upload privileges, to upload files with dangerous extensions, such as.php. - PHP File Upload: The attacker uploads a malicious PHP web shell or other arbitrary PHP script to the server via the PFS module.
- Remote Code Execution: The attacker accesses the uploaded PHP file via a web browser, causing the server to execute the arbitrary PHP code, achieving remote code execution (RCE) on the Cotonti Siena server.
Impact
The successful exploitation of CVE-2026-58143 grants unauthenticated attackers a pathway to complete system compromise. By disabling file upload restrictions, attackers can upload and execute arbitrary PHP files, leading to remote code execution. This can result in full control over the compromised Cotonti Siena web server, allowing for data theft, defacement of the website, establishment of persistent backdoors, and further network penetration. While specific victim counts are not available, any organization utilizing Cotonti Siena versions 0.9.26 or earlier is at risk, particularly those that have not implemented additional web application firewall (WAF) protections or strong administrator awareness training against phishing.
Recommendation
- Patch CVE-2026-58143: Immediately upgrade Cotonti Siena to a version greater than 0.9.26 that addresses CVE-2026-58143.
- Implement CSRF Protection: If immediate patching is not possible, implement custom CSRF protection mechanisms or use a Web Application Firewall (WAF) to block requests to
admin.phpthat lack proper anti-CSRF tokens. - Monitor Web Server Logs: Deploy the Sigma rule
Cotonti_Siena_CSRF_PFS_Whitelist_Disable_CVE_2026_58143to your SIEM to detect HTTP POST requests targeting/admin.phpthat attempt to modify thepfsfilecheckparameter, indicating potential exploitation of CVE-2026-58143. - Educate Administrators: Provide security awareness training to administrators on identifying and avoiding social engineering attacks, such as phishing, that could trick them into executing forged requests.
Detection coverage 1
Cotonti Siena CSRF PFS Whitelist Disable CVE-2026-58143
highDetects CVE-2026-58143 exploitation - HTTP POST requests to admin.php attempting to disable the PFS module's file extension whitelist (pfsfilecheck=0) via CSRF.
Detection queries are available on the platform. Get full rules →