CVE-2026-40042

Pachno · Pachno

Pachno 1.0.6 is vulnerable to XML external entity (XXE) injection, allowing unauthenticated attackers to read arbitrary files via the TextParser helper.

Executive summary

Pachno version 1.0.6 contains a critical XML external entity injection vulnerability that allows unauthenticated remote attackers to read sensitive files from the host system.

Vulnerability

The application utilizes unsafe XML parsing via simplexml_load_string() without proper LIBXML_NONET restrictions. This allows an unauthenticated attacker to inject malicious XML entities into wiki articles or comments, forcing the server to resolve external files.

Business impact

With a CVSS score of 9.8, this vulnerability poses a severe risk of data exfiltration. Attackers can bypass access controls to read configuration files, credentials, or sensitive business data, potentially leading to a full system compromise.

Remediation

Immediate Action: Update Pachno to the latest available version provided by the vendor to remediate the unsafe XML parsing implementation.

Proactive Monitoring: Review application logs for unusual XML entity references or repeated failed access attempts to system-level files.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to block malicious XML payloads or non-standard external entity resolution requests.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability represents a critical security gap that could lead to complete information disclosure. Administrators should prioritize patching the Pachno instance immediately to prevent unauthenticated access to sensitive system data.