Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Pachno 1.0.6 contains an open redirection vulnerability that allows attackers to redirect users to arbitrary external websites by manipulating the return_to parameter. Attackers can craft malicious login URLs with unvalidated return_to values to conduct phishing attacks and steal user credentials.
AnalysisAI
Open redirection in Pachno 1.0.6's return_to parameter enables phishing campaigns that harvest user credentials by redirecting victims to attacker-controlled domains after login. With CVSS 7.1 (High) and EPSS 0.03% (9th percentile), exploitation requires user interaction but no authentication, making it effective for social engineering attacks. No active exploitation (CISA KEV) or public exploit code confirmed at time of analysis, though detailed advisories exist from ZeroScience and VulnCheck.
Technical ContextAI
Pachno is an open-source project management and collaboration platform. This vulnerability stems from insufficient input validation (CWE-305: Authentication Bypass by Primary Weakness) on the return_to parameter used in authentication flows. When users authenticate, the application accepts arbitrary URLs in this parameter without proper allowlist validation or origin checking. Attackers exploit this by crafting login URLs containing malicious return_to values that redirect authenticated users to phishing sites designed to mimic legitimate Pachno login pages. The CPE identifier (cpe:2.3:a:pancho:pachno:*:*:*:*:*:*:*:*) confirms the vulnerable component is the core Pachno application. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:P) indicates network-accessible exploitation with low complexity, requiring no privileges but necessitating user interaction.
RemediationAI
Upgrade to Pachno version newer than 1.0.6 when the vendor releases a patched version addressing return_to parameter validation. Upstream fix available (PR/commit); released patched version not independently confirmed from available data at time of analysis. As interim mitigation, implement web application firewall (WAF) rules to restrict return_to parameter values to allowlisted internal paths only, rejecting any URLs containing external domains or protocol handlers. Configure security headers including Content-Security-Policy and Referrer-Policy to limit redirect capabilities. Educate users to verify URL destinations before clicking login links and never enter credentials on unexpected domains. Monitor authentication logs for suspicious return_to parameter patterns containing external domains. Consult vendor advisories at https://www.vulncheck.com/advisories/pachno-open-redirection-via-return-to-parameter and https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5981.php for updated remediation guidance.
XML External Entity (XXE) injection in Pachno 1.0.6's TextParser helper allows remote unauthenticated attackers to read
Remote code execution in Pachno 1.0.6 allows authenticated users to upload and execute PHP5 scripts via the /uploadfile
Privilege escalation in Pachno 1.0.6 allows low-privilege authenticated users to hijack administrator sessions by manipu
A vulnerability has been identified in Pachno 1.0.6 allowing an authenticated attacker to execute a cross-site scripting
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in a
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and sc
Same weakness CWE-305 – Authentication Bypass by Primary Weakness
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22043
GHSA-qx2h-p95p-57w8