Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint. Attackers can upload executable files .php5 scripts to web-accessible directories and execute them to achieve remote code execution on the server.
AnalysisAI
Remote code execution in Pachno 1.0.6 allows authenticated users to upload and execute PHP5 scripts via the /uploadfile endpoint due to ineffective extension filtering. The vulnerability bypasses file type restrictions, enabling attackers to place executable code in web-accessible directories. With a low attack complexity (AC:L) and requiring only low-level authentication (PR:L), this is exploitable by any user with basic credentials. EPSS probability is relatively low (0.10%, 27th percentile), and no active exploitation is confirmed via CISA KEV status, though the attack technique is well-understood and documented in public advisories.
Technical ContextAI
This vulnerability stems from inadequate input validation on file upload operations (CWE-434: Unrestricted Upload of File with Dangerous Type). Pachno 1.0.6, a project collaboration and issue tracking platform, implements insufficient server-side validation on the /uploadfile endpoint. The filtering mechanism fails to block alternative PHP executable extensions such as .php5, which web servers commonly process as PHP scripts. When Apache or similar web servers are configured with handlers for legacy PHP extensions (AddHandler application/x-httpd-php5 .php5), uploaded files become directly executable. The affected product is identified via CPE string cpe:2.3:a:pancho:pachno:*:*:*:*:*:*:*:*, specifically impacting version 1.0.6. This class of vulnerability has been prevalent in web applications that rely solely on client-side validation or blacklist-based filtering rather than comprehensive server-side whitelisting and file content verification.
RemediationAI
Upgrade Pachno to a patched version that implements proper file upload validation. While the provided intelligence does not specify an exact fixed version number, organizations should check the official Pachno repository and security advisories for the latest stable release addressing CVE-2026-40040. As an immediate mitigation, implement web application firewall rules to block requests to /uploadfile containing suspicious extensions (.php, .php5, .phtml, .phar) or restrict the endpoint to administrative users only. Configure web server handlers to deny execution of uploaded files by placing them outside the web root or in directories with script execution disabled via .htaccess (Options -ExecCGI, php_flag engine off) or equivalent nginx configurations. Review existing uploaded files in web-accessible directories for indicators of compromise, particularly files with PHP-variant extensions created by low-privilege user accounts. Consult vendor advisories at https://www.vulncheck.com/advisories/pachno-unrestricted-file-upload-remote-code-execution for additional guidance.
XML External Entity (XXE) injection in Pachno 1.0.6's TextParser helper allows remote unauthenticated attackers to read
Privilege escalation in Pachno 1.0.6 allows low-privilege authenticated users to hijack administrator sessions by manipu
Open redirection in Pachno 1.0.6's return_to parameter enables phishing campaigns that harvest user credentials by redir
A vulnerability has been identified in Pachno 1.0.6 allowing an authenticated attacker to execute a cross-site scripting
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in a
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and sc
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22045
GHSA-m96c-c5gp-88rx