{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pachno/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-40042"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["xxe","cve-2026-40042","pachno","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePachno 1.0.6 is susceptible to an XML External Entity (XXE) injection vulnerability, identified as CVE-2026-40042. This flaw resides in the TextParser helper component, where unsafe XML parsing occurs. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the server. The attack involves injecting malicious XML entities into various parts of the application, including wiki table syntax, issue descriptions, comments, and wiki articles. The vulnerability is triggered by the use of the simplexml_load_string() function without proper restrictions (LIBXML_NONET), enabling the resolution of external entities. This issue poses a significant risk as it allows unauthorized access to sensitive data stored on the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Pachno 1.0.6 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XML payload containing an external entity declaration. This payload aims to read a sensitive file on the server, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious XML payload into a wiki page, issue description, or comment using wiki table syntax or inline tags.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s TextParser helper processes the injected content using simplexml_load_string() without the LIBXML_NONET flag.\u003c/li\u003e\n\u003cli\u003eThe XML parser attempts to resolve the external entity, initiating a request to read the specified file.\u003c/li\u003e\n\u003cli\u003eThe targeted file\u0026rsquo;s contents are embedded into the XML response due to the XXE vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the parsed XML response, which now contains the content of the targeted file, thus achieving unauthorized file access.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat this process to access other sensitive files, potentially gaining critical information about the system and its configuration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XXE vulnerability (CVE-2026-40042) in Pachno 1.0.6 allows an unauthenticated attacker to read arbitrary files from the server. The impact can range from exposing sensitive configuration files and application code to potentially gaining access to user credentials or other confidential data. This information could be used for further malicious activities, such as lateral movement within the network or data exfiltration. Given the ease of exploitation and the potential for significant data leakage, this vulnerability represents a critical risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Pachno that addresses CVE-2026-40042 by implementing proper XML parsing and disabling external entity resolution.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization to prevent the injection of malicious XML payloads into wiki pages, issue descriptions, and comments.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing XML entity declarations, which may indicate attempted exploitation of this vulnerability. See the provided Sigma rule for guidance.\u003c/li\u003e\n\u003cli\u003eBlock the domains \u003ccode\u003ewww.vulncheck.com\u003c/code\u003e and \u003ccode\u003ewww.zeroscience.mk\u003c/code\u003e at the network level to prevent access to related advisory information, hindering attacker reconnaissance.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:00:00Z","date_published":"2026-04-14T12:00:00Z","id":"/briefs/2026-04-pachno-xxe/","summary":"Pachno 1.0.6 is vulnerable to XML external entity injection, allowing unauthenticated attackers to read arbitrary files by injecting malicious XML entities into wiki content due to unsafe XML parsing in the TextParser helper.","title":"Pachno 1.0.6 XML External Entity Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-pachno-xxe/"}],"language":"en","title":"CraftedSignal Threat Feed — Pachno","version":"https://jsonfeed.org/version/1.1"}