Description
Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint. Attackers can upload executable files .php5 scripts to web-accessible directories and execute them to achieve remote code execution on the server.
Published: 2026-04-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Pachno 1.0.6 includes an unrestricted file upload flaw where authenticated users can bypass the extension check on the /uploadfile endpoint and upload arbitrary files. The flaw is a CWE‑434 vulnerability that allows attackers to place executable .php5 scripts in web‑accessible directories and run them, giving remote code execution on the server.

Affected Systems

The vulnerability affects the Pachno project management application, version 1.0.6.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication to the upload endpoint and the ability to upload files. Since the upload path is web‑servable, an attacker who authenticates can upload a malicious script and execute it, leading to server compromise. The lack of mitigation in the current version means the risk is high for any instance that uses the default upload behavior.

Generated by OpenCVE AI on April 13, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Pachno to the latest version that addresses the file upload validation flaw.
  • If an update cannot be performed immediately, restrict the upload directories to non‑executable locations or remove execute permissions.
  • Enforce strict file type validation so only allowed extensions are accepted.
  • Verify that the upload mechanism blocks execution of uploaded scripts and conduct tests to confirm mitigation.

Generated by OpenCVE AI on April 13, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint. Attackers can upload executable files .php5 scripts to web-accessible directories and execute them to achieve remote code execution on the server.
Title Pachno 1.0.6 Unrestricted File Upload Remote Code Execution
First Time appeared Pachno
Pachno pachno
Weaknesses CWE-434
CPEs cpe:2.3:a:pachno:pachno:1.0.6:*:*:*:*:*:*:*
Vendors & Products Pachno
Pachno pachno
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pachno Pachno
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-14T13:08:29.690Z

Reserved: 2026-04-08T13:39:22.100Z

Link: CVE-2026-40040

cve-icon Vulnrichment

Updated: 2026-04-14T13:08:16.885Z

cve-icon NVD

Status : Received

Published: 2026-04-13T19:16:51.617

Modified: 2026-04-13T19:16:51.617

Link: CVE-2026-40040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:40Z

Weaknesses