Skip to main content

Pachno CVE-2026-40042

| EUVDEUVD-2026-22049 CRITICAL
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') (CWE-403)
2026-04-13 VulnCheck GHSA-5j7x-7mp7-c5xc
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:32 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
EUVD ID Assigned
Apr 13, 2026 - 18:56 euvd
EUVD-2026-22049
Analysis Generated
Apr 13, 2026 - 18:56 vuln.today
CVE Published
Apr 13, 2026 - 18:10 nvd
CRITICAL 9.3

DescriptionCVE.org

Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki table syntax and inline tags in issue descriptions, comments, and wiki articles to trigger entity resolution via simplexml_load_string() without LIBXML_NONET restrictions.

AnalysisAI

XML External Entity (XXE) injection in Pachno 1.0.6's TextParser helper allows remote unauthenticated attackers to read arbitrary files from the server. The vulnerability is triggered through malicious XML entities embedded in wiki table syntax and inline tags within issue descriptions, comments, or wiki articles, exploiting unsafe simplexml_load_string() calls without LIBXML_NONET protections. With CVSS 9.3 and EPSS 0.04% (14th percentile), this represents a high-severity but low-probability threat. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.

Technical ContextAI

This is a classic XML External Entity (CWE-403) vulnerability in Pachno's TextParser component, which processes user-supplied content in wiki-formatted text. The flaw occurs when PHP's simplexml_load_string() function parses XML without the LIBXML_NOENT or LIBXML_NONET flags, allowing external entity declarations to be resolved. Attackers can embed specially-crafted XML entities within wiki markup (tables and inline tags) that get processed by the vulnerable parser. When the XML is parsed, the PHP XML processor follows external entity references, enabling file disclosure attacks (e.g., reading /etc/passwd, application configuration files, or source code). The affected product is cpe:2.3:a:pancho:pachno:1.0.6, a project management and collaboration platform. This vulnerability class has been exploited in numerous applications historically, though modern PHP configurations sometimes mitigate XXE through disabled libxml external entity loading by default.

RemediationAI

Upgrade Pachno to a patched version beyond 1.0.6 if available from the vendor. Consult the official Pachno project repository and the VulnCheck advisory (https://www.vulncheck.com/advisories/pachno-wiki-textparser-xml-external-entity-injection) for specific fix versions and patches. If immediate patching is not possible, implement workarounds: disable wiki content submission from untrusted users, configure PHP libxml settings to disable external entity loading globally (libxml_disable_entity_loader(true) in legacy PHP or ensure LIBXML_NOENT/LIBXML_NONET flags are used), or apply web application firewall (WAF) rules to detect and block XXE payloads in user-submitted content. Review application logs for suspicious XML patterns in wiki content submissions. Validate that simplexml_load_string() calls throughout the codebase use secure parsing flags.

Share

CVE-2026-40042 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy