Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload, milestone editing, and administrative functions to force logout, create accounts, modify roles, inject comments, or upload files when authenticated users visit attacker-controlled websites.
Analysis
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload, milestone editing, and administrative functions to force logout, create accounts, modify roles, inject comments, or upload files when authenticated users visit attacker-controlled websites.
XML External Entity (XXE) injection in Pachno 1.0.6's TextParser helper allows remote unauthenticated attackers to read
Remote code execution in Pachno 1.0.6 allows authenticated users to upload and execute PHP5 scripts via the /uploadfile
Privilege escalation in Pachno 1.0.6 allows low-privilege authenticated users to hijack administrator sessions by manipu
Open redirection in Pachno 1.0.6's return_to parameter enables phishing campaigns that harvest user credentials by redir
A vulnerability has been identified in Pachno 1.0.6 allowing an authenticated attacker to execute a cross-site scripting
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and sc
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22047