CVE-2026-40040 HIGH

CVE-2026-40040: Pachno 1.0.6 Unrestricted File Upload Remote Code Execution

Vendor Pachno
Product Pachno
Weakness CWE-434 · Unrestricted file upload
Published April 13, 2026
Last update May 12, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint. Attackers can upload executable files .php5 scripts to web-accessible directories and execute them to achieve remote code execution on the server.

Key dates

02Disclosure timeline

April 13, 2026 CVE published
May 12, 2026 Record updated

Related vulnerabilities

04Related CVE