Description
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload, milestone editing, and administrative functions to force logout, create accounts, modify roles, inject comments, or upload files when authenticated users visit attacker-controlled websites.
Published: 2026-04-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized state changes in authenticated user context
Action: Immediate Patch
AI Analysis

Impact

We find that Pachno 1.0.6 lacks CSRF protection on several state‑changing endpoints, enabling attackers to execute arbitrary actions within the context of an authenticated user. By sending forged requests from an attacker‑controlled site, an attacker can trigger logouts, create new accounts, alter user roles, inject comments, or upload files. This can compromise the integrity and availability of the system, potentially allowing unauthorized configuration changes or malicious content to be introduced.

Affected Systems

The vulnerability affects the Pachno project‑management application version 1.0.6 from vendor pancho, specifically the endpoints responsible for login, registration, file upload, milestone editing, and administrative functions. No other versions or products are listed as affected by the CNA record.

Risk and Exploitability

CVSS base score is 5.3, indicating a moderate risk. EPSS data is missing, and the vulnerability is not listed in CISA's KEV catalog, suggesting it has not yet been widely exploited in the wild. The likely attack vector is a cross‑site forgery where an infected website sends concealed HTTP requests to the target application. Because the credentials are not required for the request, any authenticated user who visits a malicious site could be coerced into performing unintended actions.

Generated by OpenCVE AI on April 13, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch or upgrade Pachno to a version that includes CSRF protection for state‑changing endpoints.
  • If an immediate upgrade is not feasible, restrict state‑changing endpoints to same‑origin requests by enforcing the SameSite cookie attribute or checking the Referer header.
  • Additionally, review uploaded files for malware and implement input validation on all user‑generated content.
  • Finally, monitor authentication events and audit logs for anomalous behavior to detect exploitation attempts.

Generated by OpenCVE AI on April 13, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload, milestone editing, and administrative functions to force logout, create accounts, modify roles, inject comments, or upload files when authenticated users visit attacker-controlled websites.
Title Pachno 1.0.6 Cross-Site Request Forgery via State-Changing Endpoints
First Time appeared Pachno
Pachno pachno
Weaknesses CWE-352
CPEs cpe:2.3:a:pachno:pachno:1.0.6:*:*:*:*:*:*:*
Vendors & Products Pachno
Pachno pachno
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Pachno Pachno
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T19:07:47.973Z

Reserved: 2026-04-08T13:39:22.100Z

Link: CVE-2026-40041

cve-icon Vulnrichment

Updated: 2026-04-13T19:07:29.661Z

cve-icon NVD

Status : Received

Published: 2026-04-13T19:16:51.787

Modified: 2026-04-13T19:16:51.787

Link: CVE-2026-40041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:39Z

Weaknesses