CVE-2026-40038
Published: 13 April 2026
Summary
CVE-2026-40038 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-40038 is a stored cross-site scripting (XSS) vulnerability affecting Pachno version 1.0.6. The flaw arises from improper sanitization of user-supplied input via Request::getRawParameter() or Request::getParameter() calls in multiple controllers. Attackers can inject arbitrary HTML and JavaScript payloads through POST parameters such as value, comment_body, article_content, description, and message. These payloads are stored in the database and later executed in the browsers of other users viewing the affected content. The vulnerability is rated 7.2 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and maps to CWE-79.
Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By submitting malicious payloads to the vulnerable endpoints, the attacker stores persistent scripts that execute in the context of other users' sessions when they access injected content, such as comments, articles, or descriptions. Successful exploitation enables limited impacts on confidentiality and integrity, such as session hijacking, data theft, or phishing within the application, due to the cross-origin scope change.
Advisories published by VulnCheck (https://www.vulncheck.com/advisories/pachno-stored-cross-site-scripting-via-multiple-parameters) and Zero Science (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5980.php) provide detailed analysis of the issue; security practitioners should review these for recommended mitigations, including input validation, output encoding, and upgrading to a patched version if available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22041
Vulnerability details
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and message parameters across multiple…
more
controllers, which are stored in the database and executed in users' browser sessions due to improper sanitization via Request::getRawParameter() or Request::getParameter() calls.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing web app enables remote unauthenticated exploitation of the application to inject/execute arbitrary JS in victim browsers, directly mapping to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of user-supplied inputs to block malicious HTML and JavaScript payloads injected via POST parameters like value, comment_body, and description.
SI-15 enforces output filtering and encoding of stored database content to prevent execution of injected scripts in users' browsers when viewing affected pages.
SI-2 mandates identification, reporting, and correction of flaws like improper sanitization in Request::getRawParameter() and Request::getParameter() calls.