CVE-2026-40044
published 2026-04-13CVE-2026-40044: Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.48%
38.1th percentile
Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which are unserialized during framework bootstrap before authentication checks occur.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pachno | pachno | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Pachno 1.0.6 deserialization (ZSL-2026-5986)
vuldb·2026-04-13·CVSS 9.3
CVE-2026-40044 [CRITICAL] Pachno 1.0.6 deserialization (ZSL-2026-5986)
A vulnerability was found in Pachno 1.0.6. It has been declared as critical. Affected is an unknown function. Executing a manipulation can lead to deserialization.
This vulnerability is tracked as CVE-2026-40044. The attack can be launched remotely. No exploit exists.
GHSA
GHSA-v448-wvgf-wj83: Pachno 1
ghsa_unreviewed·2026-04-13
CVE-2026-40044 [CRITICAL] CWE-502 GHSA-v448-wvgf-wj83: Pachno 1
Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which are unserialized during framework bootstrap before authentication checks occur.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-13
Published