CVE-2026-40042 CRITICAL

CVE-2026-40042: Pachno 1.0.6 Wiki TextParser XML External Entity Injection

Vendor Pachno
Product Pachno
Weakness CWE-403
Published April 13, 2026
Last update May 12, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki table syntax and inline tags in issue descriptions, comments, and wiki articles to trigger entity resolution via simplexml_load_string() without LIBXML_NONET restrictions.

Key dates

02Disclosure timeline

April 13, 2026 CVE published
May 12, 2026 Record updated