Pachno

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Pachno.

By the Year

In 2026 there have been 7 vulnerabilities in Pachno with an average score of 7.6 out of ten. Pachno did not have any published security vulnerabilities last year. That is, 7 more vulnerabilities have already been reported in 2026 as compared to last year.

Year	Vulnerabilities	Average Score
2026	7	7.56
2025	0	0.00
2024	0	0.00
2023	1	5.40

It may take a day or so for new Pachno vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Pachno Security Vulnerabilities

Pachno 1.0.6 PHP Deserialization in Cache Enables Arbitrary Code Execution
CVE-2026-40044 9.8 - Critical - April 13, 2026

Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which are unserialized during framework bootstrap before authentication checks occur.

Marshaling, Unmarshaling

Pachno 1.0.6 Auth Bypass via original_username Cookie in runSwitchUser()
CVE-2026-40043 6.5 - Medium - April 13, 2026

Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie. Attackers can set the client-controlled original_username cookie to any value and request a switch to user ID 1 to obtain session tokens or password hashes belonging to administrator accounts.

Insecure Direct Object Reference / IDOR

Pachno 1.0.6 XML External Entity Injection via Wiki Syntax
CVE-2026-40042 9.8 - Critical - April 13, 2026

Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki table syntax and inline tags in issue descriptions, comments, and wiki articles to trigger entity resolution via simplexml_load_string() without LIBXML_NONET restrictions.

File descriptor leak

Pachno 1.0.6 CSRF Vulnerability: Arbitrary Authenticated Actions
CVE-2026-40041 4.3 - Medium - April 13, 2026

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload, milestone editing, and administrative functions to force logout, create accounts, modify roles, inject comments, or upload files when authenticated users visit attacker-controlled websites.

Session Riding

Pachno 1.0.6 Unrestricted File Upload allows RCE via /uploadfile
CVE-2026-40040 8.8 - High - April 13, 2026

Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint. Attackers can upload executable files .php5 scripts to web-accessible directories and execute them to achieve remote code execution on the server.

Unrestricted File Upload

Pachno 1.0.6 Open Redirection via return_to Parameter
CVE-2026-40039 6.5 - Medium - April 13, 2026

Pachno 1.0.6 contains an open redirection vulnerability that allows attackers to redirect users to arbitrary external websites by manipulating the return_to parameter. Attackers can craft malicious login URLs with unvalidated return_to values to conduct phishing attacks and steal user credentials.

Authentication Bypass by Primary Weakness

Pachno 1.0.6 XSS: Stored XSS via Request::getRawParameter
CVE-2026-40038 7.2 - High - April 13, 2026

Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and message parameters across multiple controllers, which are stored in the database and executed in users' browser sessions due to improper sanitization via Request::getRawParameter() or Request::getParameter() calls.

XSS

Pachno 1.0.6 Authenticated XSS via Project Description/Comments
CVE-2023-47437 5.4 - Medium - November 28, 2023

A vulnerability has been identified in Pachno 1.0.6 allowing an authenticated attacker to execute a cross-site scripting (XSS) attack. The vulnerability exists due to inadequate input validation in the Project Description and comments, which enables an attacker to inject malicious java script.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Pachno or by Pachno? Click the Watch button to subscribe.

Pachno
Vendor

Pachno
Product

Pachno

Don't miss out!

By the Year

Recent Pachno Security Vulnerabilities

Pachno 1.0.6 PHP Deserialization in Cache Enables Arbitrary Code Execution CVE-2026-40044 9.8 - Critical - April 13, 2026

Pachno 1.0.6 Auth Bypass via original_username Cookie in runSwitchUser() CVE-2026-40043 6.5 - Medium - April 13, 2026

Pachno 1.0.6 XML External Entity Injection via Wiki Syntax CVE-2026-40042 9.8 - Critical - April 13, 2026

Pachno 1.0.6 CSRF Vulnerability: Arbitrary Authenticated Actions CVE-2026-40041 4.3 - Medium - April 13, 2026

Pachno 1.0.6 Unrestricted File Upload allows RCE via /uploadfile CVE-2026-40040 8.8 - High - April 13, 2026

Pachno 1.0.6 Open Redirection via return_to Parameter CVE-2026-40039 6.5 - Medium - April 13, 2026

Pachno 1.0.6 XSS: Stored XSS via Request::getRawParameter CVE-2026-40038 7.2 - High - April 13, 2026

Pachno 1.0.6 Authenticated XSS via Project Description/Comments CVE-2023-47437 5.4 - Medium - November 28, 2023