Description
Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which are unserialized during framework bootstrap before authentication checks occur.
Published: 2026-04-13
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Pachno version 1.0.6 contains a deserialization flaw that permits attackers to inject malicious PHP object payloads into cache files. When the framework boots, these cache files are unserialized before any authentication checks are performed, allowing an unauthenticated attacker who can write to the world‑writable cache directory to execute arbitrary code on the host. This vulnerability is a classic example of CWE‑502 and can lead to full compromise of the affected system.

Affected Systems

The listed vendor and product are pancho for Pachno, specifically the 1.0.6 release. No other vendors, products, or versions are indicated as impacted.

Risk and Exploitability

The score of 9.3 on the CVSS indicates a very high severity. Exploitation requires the attacker to obtain write access to cache files with predictable names in a directory that is world‑writable; once written, the payload is executed during bootstrap, before user authentication. Because the EPSS score is unavailable and the vulnerability is not in the KEV catalog, the precise likelihood of exploitation is unclear, but the high CVSS and the low barrier to writing files give attackers a straightforward path to compromise systems running this version.

Generated by OpenCVE AI on April 13, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Pachno update or a version that mitigates the deserialization flaw as soon as it becomes available.
  • If no patch is available, immediately remove world‑write permissions from the Pachno cache directory (for example, chmod 700).
  • Disable or harden any caching functionality that is not required for your deployment to reduce the attack surface.
  • Continuously monitor the cache directory for unexpected file creation or modifications and generate alerts when changes are detected.
  • Verify that no user‑supplied or untrusted serialized objects are loaded by the application before authentication checks are performed.

Generated by OpenCVE AI on April 13, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which are unserialized during framework bootstrap before authentication checks occur.
Title Pachno 1.0.6 FileCache Deserialization Remote Code Execution
First Time appeared Pachno
Pachno pachno
Weaknesses CWE-502
CPEs cpe:2.3:a:pachno:pachno:1.0.6:*:*:*:*:*:*:*
Vendors & Products Pachno
Pachno pachno
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pachno Pachno
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T18:57:58.765Z

Reserved: 2026-04-08T13:39:22.100Z

Link: CVE-2026-40044

cve-icon Vulnrichment

Updated: 2026-04-13T18:57:54.502Z

cve-icon NVD

Status : Received

Published: 2026-04-13T19:16:52.290

Modified: 2026-04-13T19:16:52.290

Link: CVE-2026-40044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:36Z

Weaknesses