Skip to main content

Pachno CVE-2026-40039

| EUVDEUVD-2026-22043 HIGH
Authentication Bypass by Primary Weakness (CWE-305)
2026-04-13 VulnCheck GHSA-qx2h-p95p-57w8
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:32 vuln.today
Severity Changed
Apr 13, 2026 - 19:37 NVD
MEDIUM HIGH
CVSS changed
Apr 13, 2026 - 19:37 NVD
6.5 (MEDIUM) 7.1 (HIGH)
EUVD ID Assigned
Apr 13, 2026 - 18:56 euvd
EUVD-2026-22043
Analysis Generated
Apr 13, 2026 - 18:56 vuln.today
CVE Published
Apr 13, 2026 - 18:10 nvd
HIGH 7.1

DescriptionCVE.org

Pachno 1.0.6 contains an open redirection vulnerability that allows attackers to redirect users to arbitrary external websites by manipulating the return_to parameter. Attackers can craft malicious login URLs with unvalidated return_to values to conduct phishing attacks and steal user credentials.

AnalysisAI

Open redirection in Pachno 1.0.6's return_to parameter enables phishing campaigns that harvest user credentials by redirecting victims to attacker-controlled domains after login. With CVSS 7.1 (High) and EPSS 0.03% (9th percentile), exploitation requires user interaction but no authentication, making it effective for social engineering attacks. No active exploitation (CISA KEV) or public exploit code confirmed at time of analysis, though detailed advisories exist from ZeroScience and VulnCheck.

Technical ContextAI

Pachno is an open-source project management and collaboration platform. This vulnerability stems from insufficient input validation (CWE-305: Authentication Bypass by Primary Weakness) on the return_to parameter used in authentication flows. When users authenticate, the application accepts arbitrary URLs in this parameter without proper allowlist validation or origin checking. Attackers exploit this by crafting login URLs containing malicious return_to values that redirect authenticated users to phishing sites designed to mimic legitimate Pachno login pages. The CPE identifier (cpe:2.3:a:pancho:pachno:*:*:*:*:*:*:*:*) confirms the vulnerable component is the core Pachno application. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:P) indicates network-accessible exploitation with low complexity, requiring no privileges but necessitating user interaction.

RemediationAI

Upgrade to Pachno version newer than 1.0.6 when the vendor releases a patched version addressing return_to parameter validation. Upstream fix available (PR/commit); released patched version not independently confirmed from available data at time of analysis. As interim mitigation, implement web application firewall (WAF) rules to restrict return_to parameter values to allowlisted internal paths only, rejecting any URLs containing external domains or protocol handlers. Configure security headers including Content-Security-Policy and Referrer-Policy to limit redirect capabilities. Educate users to verify URL destinations before clicking login links and never enter credentials on unexpected domains. Monitor authentication logs for suspicious return_to parameter patterns containing external domains. Consult vendor advisories at https://www.vulncheck.com/advisories/pachno-open-redirection-via-return-to-parameter and https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5981.php for updated remediation guidance.

Share

CVE-2026-40039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy