CVE-2026-40042
published 2026-04-13CVE-2026-40042: Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.37%
29.2th percentile
Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki table syntax and inline tags in issue descriptions, comments, and wiki articles to trigger entity resolution via simplexml_load_string() without LIBXML_NONET restrictions.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pachno | pachno | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5j7x-7mp7-c5xc: Pachno 1
ghsa_unreviewed·2026-04-13
CVE-2026-40042 [CRITICAL] CWE-403 GHSA-5j7x-7mp7-c5xc: Pachno 1
Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki table syntax and inline tags in issue descriptions, comments, and wiki articles to trigger entity resolution via simplexml_load_string() without LIBXML_NONET restrictions.
VulDB
Pachno 1.0.6 XML Parser simplexml_load_string file descriptor (ZSL-2026-5984)
vuldb·2026-04-13·CVSS 9.3
CVE-2026-40042 [CRITICAL] Pachno 1.0.6 XML Parser simplexml_load_string file descriptor (ZSL-2026-5984)
A vulnerability classified as critical was found in Pachno 1.0.6. The impacted element is the function simplexml_load_string of the component XML Parser. The manipulation results in exposure of file descriptor to unintended control sphere ('file descriptor leak').
This vulnerability is known as CVE-2026-40042. It is possible to launch the attack remotely. No exploit is available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-13
Published