EUVD-2026-22053
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which are unserialized during framework bootstrap before authentication checks occur.
AnalysisAI
Remote code execution in Pachno 1.0.6 allows unauthenticated attackers to achieve arbitrary code execution by exploiting unsafe deserialization of PHP objects. Attackers write malicious serialized payloads to world-writable cache files with predictable names, which are automatically unserialized during framework bootstrap before authentication occurs. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: inventory all systems running Pachno 1.0.6 and assess internet exposure; immediately restrict network access to affected Pachno instances using firewall rules. Within 7 days: contact Pachno vendor for patch timeline and interim security updates; implement application-level input validation and disable automatic deserialization if configuration options exist. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today