Pachno version 1.0.6 parses XML content in wiki pages without restricting external entity resolution, allowing an attacker to craft malicious XML that causes the system to read arbitrary files. This vulnerability is enabled by the TextParser helper when processing wiki table syntax or inline tags in issue descriptions, comments, and wiki articles. The resulting file disclosure can expose sensitive data such as configuration files, passwords, or code, thereby compromising confidentiality and potentially enabling further attacks. The weakness corresponds to CWE-403, representing an XML External Entity Injection scenario.

The affected product is Pachno 1.0.6 from the vendor Pancho. No other versions or vendor information is listed. Users running this specific release are susceptible to the described exploitation when they use the wiki or issue tracking features.

The vulnerability has a CVSS score of 9.3, indicating a high risk of exploitation. Exploit Probability System Score is not available, and the issue is not currently tracked in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is client‑initiated XML submission through the wiki interface, with no authentication required for the read operation. Because the vulnerability can expose arbitrary files on the server, the attack surface includes potential theft of credentials, configuration data, or other sensitive information. The impact is limited to confidentiality; there is no direct evidence of code execution or disruption of service from the available information.