Vulnerability in Pachno
CVE-2026-40042
Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities throu…
EPSS: 0.001 (24.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Pachno — versions 1.0.6
- Pancho Pachno — versions 1.0.6
Weakness classification (CWE)
References
- Zero Science Lab Disclosure (third-party-advisory)
- VulnCheck Advisory: Pachno 1.0.6 Wiki TextParser XML External Entity Injection (third-party-advisory)
Frequently asked questions
- What is CVE-2026-40042?
- CVE-2026-40042 is a critical-severity vulnerability in Pachno, classified under Exposure of File Descriptor to Unintended Control Sphere (File Descriptor Leak). CVSS score: 9.8/10. Published 2026-04-13.
- How severe is CVE-2026-40042?
- Critical severity. CVSS v3 base score is 9.8 out of 10.