CVE-2026-40044 CRITICAL

CVE-2026-40044: Pachno 1.0.6 FileCache Deserialization Remote Code Execution

Vendor Pachno
Product Pachno
Weakness CWE-502 · Unsafe deserialization
Published April 13, 2026
Last update May 12, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which are unserialized during framework bootstrap before authentication checks occur.

Key dates

02Disclosure timeline

April 13, 2026 CVE published
May 12, 2026 Record updated