CVE-2026-40042: Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') in pancho Pachno
Pachno version 1.0.6 contains a critical XML external entity (XXE) injection vulnerability. This flaw allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper component. The vulnerability arises from the use of simplexml_load_string() without disabling network access (LIBXML_NONET), enabling malicious XML entities injected via wiki table syntax and inline tags in issue descriptions, comments, and wiki articles to be resolved. The vulnerability has a CVSS 4.0 score of 9.3, indicating critical severity. No official patch or remediation guidance is currently available from the vendor. There are no known exploits in the wild at this time.
AI Analysis
Technical Summary
CVE-2026-40042 is an XML external entity injection vulnerability in pancho's Pachno 1.0.6. The issue stems from unsafe XML parsing in the TextParser helper, where simplexml_load_string() is called without the LIBXML_NONET flag, allowing network access during entity resolution. Attackers can inject malicious XML entities through wiki table syntax and inline tags in various user-editable fields such as issue descriptions, comments, and wiki articles. This enables unauthenticated attackers to read arbitrary files on the server, leading to exposure of sensitive information. The vulnerability is rated critical with a CVSS 4.0 score of 9.3. No vendor advisory or patch is currently available, and the product is not a cloud service.
Potential Impact
Successful exploitation allows unauthenticated attackers to read arbitrary files on the affected system, potentially exposing sensitive information. This can lead to significant confidentiality breaches. The vulnerability does not require user interaction or privileges, increasing its risk. There are no known exploits in the wild currently, but the critical severity and ease of exploitation make this a high-risk issue.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or restricting XML parsing features that use simplexml_load_string() without LIBXML_NONET or apply custom input validation to block malicious XML entities. Monitor vendor channels for updates and apply patches promptly once released.
CVE-2026-40042: Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') in pancho Pachno
Description
Pachno version 1.0.6 contains a critical XML external entity (XXE) injection vulnerability. This flaw allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper component. The vulnerability arises from the use of simplexml_load_string() without disabling network access (LIBXML_NONET), enabling malicious XML entities injected via wiki table syntax and inline tags in issue descriptions, comments, and wiki articles to be resolved. The vulnerability has a CVSS 4.0 score of 9.3, indicating critical severity. No official patch or remediation guidance is currently available from the vendor. There are no known exploits in the wild at this time.
CVSS v4.0
Score 9.3critical
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40042 is an XML external entity injection vulnerability in pancho's Pachno 1.0.6. The issue stems from unsafe XML parsing in the TextParser helper, where simplexml_load_string() is called without the LIBXML_NONET flag, allowing network access during entity resolution. Attackers can inject malicious XML entities through wiki table syntax and inline tags in various user-editable fields such as issue descriptions, comments, and wiki articles. This enables unauthenticated attackers to read arbitrary files on the server, leading to exposure of sensitive information. The vulnerability is rated critical with a CVSS 4.0 score of 9.3. No vendor advisory or patch is currently available, and the product is not a cloud service.
Potential Impact
Successful exploitation allows unauthenticated attackers to read arbitrary files on the affected system, potentially exposing sensitive information. This can lead to significant confidentiality breaches. The vulnerability does not require user interaction or privileges, increasing its risk. There are no known exploits in the wild currently, but the critical severity and ease of exploitation make this a high-risk issue.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or restricting XML parsing features that use simplexml_load_string() without LIBXML_NONET or apply custom input validation to block malicious XML entities. Monitor vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-04-08T13:39:22.100Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd369b82d89c981f375072
Added to database: 4/13/2026, 6:31:55 PM
Last enriched: 4/21/2026, 6:15:33 AM
Last updated: 6/12/2026, 10:22:37 AM
Views: 90
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.