Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki table syntax and inline tags in issue descriptions, comments, and wiki articles to trigger entity resolution via simplexml_load_string() without LIBXML_NONET restrictions.
AnalysisAI
XML External Entity (XXE) injection in Pachno 1.0.6's TextParser helper allows remote unauthenticated attackers to read arbitrary files from the server. The vulnerability is triggered through malicious XML entities embedded in wiki table syntax and inline tags within issue descriptions, comments, or wiki articles, exploiting unsafe simplexml_load_string() calls without LIBXML_NONET protections. With CVSS 9.3 and EPSS 0.04% (14th percentile), this represents a high-severity but low-probability threat. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.
Technical ContextAI
This is a classic XML External Entity (CWE-403) vulnerability in Pachno's TextParser component, which processes user-supplied content in wiki-formatted text. The flaw occurs when PHP's simplexml_load_string() function parses XML without the LIBXML_NOENT or LIBXML_NONET flags, allowing external entity declarations to be resolved. Attackers can embed specially-crafted XML entities within wiki markup (tables and inline tags) that get processed by the vulnerable parser. When the XML is parsed, the PHP XML processor follows external entity references, enabling file disclosure attacks (e.g., reading /etc/passwd, application configuration files, or source code). The affected product is cpe:2.3:a:pancho:pachno:1.0.6, a project management and collaboration platform. This vulnerability class has been exploited in numerous applications historically, though modern PHP configurations sometimes mitigate XXE through disabled libxml external entity loading by default.
RemediationAI
Upgrade Pachno to a patched version beyond 1.0.6 if available from the vendor. Consult the official Pachno project repository and the VulnCheck advisory (https://www.vulncheck.com/advisories/pachno-wiki-textparser-xml-external-entity-injection) for specific fix versions and patches. If immediate patching is not possible, implement workarounds: disable wiki content submission from untrusted users, configure PHP libxml settings to disable external entity loading globally (libxml_disable_entity_loader(true) in legacy PHP or ensure LIBXML_NOENT/LIBXML_NONET flags are used), or apply web application firewall (WAF) rules to detect and block XXE payloads in user-submitted content. Review application logs for suspicious XML patterns in wiki content submissions. Validate that simplexml_load_string() calls throughout the codebase use secure parsing flags.
Remote code execution in Pachno 1.0.6 allows authenticated users to upload and execute PHP5 scripts via the /uploadfile
Privilege escalation in Pachno 1.0.6 allows low-privilege authenticated users to hijack administrator sessions by manipu
Open redirection in Pachno 1.0.6's return_to parameter enables phishing campaigns that harvest user credentials by redir
A vulnerability has been identified in Pachno 1.0.6 allowing an authenticated attacker to execute a cross-site scripting
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in a
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and sc
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22049
GHSA-5j7x-7mp7-c5xc