CVE-2026-40042CRITICAL 9.8EPSS p29.0%

CVE-2026-40042CVE-2026-40042

Description

Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki table syntax and inline tags in issue descriptions, comments, and wiki articles to trigger entity resolution via simplexml_load_string() without LIBXML_NONET restrictions.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.37% probability of exploitation · percentile 29.0% · 2026-06-19T12:03:05Z
Published2026-04-13
Last modified2026-04-17

Underlying weaknesses· 1

CWE-403

References

  1. https://www.vulncheck.com/advisories/pachno-wiki-textparser-xml-external-entity-injection
  2. https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5984.php

1

TypeTargetConfidenceTier
WeaknessExposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')cwe-4030%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40040
CVE
CVE-2026-40044
CVE
CVE-2026-41936
CVE
CVE-2025-67484
CVE
CVE-2026-11169
CVE
CVE-2026-24515
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.