CVE-2026-40042 is an XML external entity injection vulnerability affecting pancho Pachno version 1.0.6. The vulnerability exists in the TextParser helper component, which parses XML content from user-supplied input such as wiki tables and inline tags in issue descriptions, comments, and wiki articles. Because the XML parser function simplexml_load_string() is called without the LIBXML_NONET flag, it allows external entity references to be resolved. This enables unauthenticated attackers to read arbitrary files on the server by injecting malicious XML entities, leading to exposure of sensitive file descriptors. The vulnerability is remotely exploitable without authentication and has a critical CVSS score of 9.3. No patch or official remediation has been disclosed by the vendor as of the publication date.

Successful exploitation of this vulnerability allows unauthenticated remote attackers to read arbitrary files on the affected system. This can lead to disclosure of sensitive information, potentially compromising confidentiality and aiding further attacks. The vulnerability does not require user interaction or privileges, increasing its risk. There are no reports of active exploitation in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting XML parsing features that use simplexml_load_string() without the LIBXML_NONET flag. Avoid processing untrusted XML input in affected components. Monitor vendor channels for updates and apply patches promptly once available.