Skip to main content

Pachno CVE-2026-40040

| EUVDEUVD-2026-22045 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-04-13 VulnCheck GHSA-m96c-c5gp-88rx
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:32 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
8.8 (HIGH) 8.7 (HIGH)
EUVD ID Assigned
Apr 13, 2026 - 18:56 euvd
EUVD-2026-22045
Analysis Generated
Apr 13, 2026 - 18:56 vuln.today
CVE Published
Apr 13, 2026 - 18:10 nvd
HIGH 8.7

DescriptionCVE.org

Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint. Attackers can upload executable files .php5 scripts to web-accessible directories and execute them to achieve remote code execution on the server.

AnalysisAI

Remote code execution in Pachno 1.0.6 allows authenticated users to upload and execute PHP5 scripts via the /uploadfile endpoint due to ineffective extension filtering. The vulnerability bypasses file type restrictions, enabling attackers to place executable code in web-accessible directories. With a low attack complexity (AC:L) and requiring only low-level authentication (PR:L), this is exploitable by any user with basic credentials. EPSS probability is relatively low (0.10%, 27th percentile), and no active exploitation is confirmed via CISA KEV status, though the attack technique is well-understood and documented in public advisories.

Technical ContextAI

This vulnerability stems from inadequate input validation on file upload operations (CWE-434: Unrestricted Upload of File with Dangerous Type). Pachno 1.0.6, a project collaboration and issue tracking platform, implements insufficient server-side validation on the /uploadfile endpoint. The filtering mechanism fails to block alternative PHP executable extensions such as .php5, which web servers commonly process as PHP scripts. When Apache or similar web servers are configured with handlers for legacy PHP extensions (AddHandler application/x-httpd-php5 .php5), uploaded files become directly executable. The affected product is identified via CPE string cpe:2.3:a:pancho:pachno:*:*:*:*:*:*:*:*, specifically impacting version 1.0.6. This class of vulnerability has been prevalent in web applications that rely solely on client-side validation or blacklist-based filtering rather than comprehensive server-side whitelisting and file content verification.

RemediationAI

Upgrade Pachno to a patched version that implements proper file upload validation. While the provided intelligence does not specify an exact fixed version number, organizations should check the official Pachno repository and security advisories for the latest stable release addressing CVE-2026-40040. As an immediate mitigation, implement web application firewall rules to block requests to /uploadfile containing suspicious extensions (.php, .php5, .phtml, .phar) or restrict the endpoint to administrative users only. Configure web server handlers to deny execution of uploaded files by placing them outside the web root or in directories with script execution disabled via .htaccess (Options -ExecCGI, php_flag engine off) or equivalent nginx configurations. Review existing uploaded files in web-accessible directories for indicators of compromise, particularly files with PHP-variant extensions created by low-privilege user accounts. Consult vendor advisories at https://www.vulncheck.com/advisories/pachno-unrestricted-file-upload-remote-code-execution for additional guidance.

Share

CVE-2026-40040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy