Cyber Resilience

CVE-2026-40038

MediumPublic PoC

Published: 13 April 2026

Published
13 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 11.4th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40038 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-40038 is a stored cross-site scripting (XSS) vulnerability affecting Pachno version 1.0.6. The flaw arises from improper sanitization of user-supplied input via Request::getRawParameter() or Request::getParameter() calls in multiple controllers. Attackers can inject arbitrary HTML and JavaScript payloads through POST parameters such as value, comment_body, article_content, description, and message. These payloads are stored in the database and later executed in the browsers of other users viewing the affected content. The vulnerability is rated 7.2 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and maps to CWE-79.

Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By submitting malicious payloads to the vulnerable endpoints, the attacker stores persistent scripts that execute in the context of other users' sessions when they access injected content, such as comments, articles, or descriptions. Successful exploitation enables limited impacts on confidentiality and integrity, such as session hijacking, data theft, or phishing within the application, due to the cross-origin scope change.

Advisories published by VulnCheck (https://www.vulncheck.com/advisories/pachno-stored-cross-site-scripting-via-multiple-parameters) and Zero Science (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5980.php) provide detailed analysis of the issue; security practitioners should review these for recommended mitigations, including input validation, output encoding, and upgrading to a patched version if available.

EU & UK References

Vulnerability details

Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and message parameters across multiple…

more

controllers, which are stored in the database and executed in users' browser sessions due to improper sanitization via Request::getRawParameter() or Request::getParameter() calls.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stored XSS in public-facing web app enables remote unauthenticated exploitation of the application to inject/execute arbitrary JS in victim browsers, directly mapping to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47873Shared CWE-79
CVE-2026-7052Shared CWE-79
CVE-2024-56060Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2024-56022Shared CWE-79
CVE-2025-68889Shared CWE-79
CVE-2026-1074Shared CWE-79
CVE-2025-22539Shared CWE-79
CVE-2025-22286Shared CWE-79
CVE-2025-68031Shared CWE-79

Affected Assets

Zeroscience
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of user-supplied inputs to block malicious HTML and JavaScript payloads injected via POST parameters like value, comment_body, and description.

prevent

SI-15 enforces output filtering and encoding of stored database content to prevent execution of injected scripts in users' browsers when viewing affected pages.

preventrecover

SI-2 mandates identification, reporting, and correction of flaws like improper sanitization in Request::getRawParameter() and Request::getParameter() calls.

References