Cyber Resilience

CVE-2026-40042

CriticalPublic PoC

Published: 13 April 2026

Published
13 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 29.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40042 is a critical-severity File Descriptor Leak (CWE-403) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

Pachno version 1.0.6 is affected by CVE-2026-40042, an XML external entity (XXE) injection vulnerability in the TextParser helper. The flaw arises from unsafe XML parsing using simplexml_load_string() without LIBXML_NONET restrictions, enabling the injection of malicious XML entities. This issue, classified under CWE-403, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-13.

Unauthenticated attackers can exploit the vulnerability remotely with low complexity and no user interaction required. By injecting malicious XML entities through wiki table syntax and inline tags in issue descriptions, comments, or wiki articles, attackers trigger entity resolution to read arbitrary files on the server. The high confidentiality, integrity, and availability impacts allow potential full compromise of the affected Pachno instance.

Advisories from VulnCheck (https://www.vulncheck.com/advisories/pachno-wiki-textparser-xml-external-entity-injection) and Zero Science (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5984.php) provide further details on the vulnerability for security practitioners to review mitigation strategies and patches.

EU & UK References

Vulnerability details

Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki table syntax and inline tags in…

more

issue descriptions, comments, and wiki articles to trigger entity resolution via simplexml_load_string() without LIBXML_NONET restrictions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

XXE in public-facing Pachno web app enables remote unauthenticated exploitation of the application (T1190) and direct arbitrary local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-58280Shared CWE-403

Affected Assets

Zeroscience
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of user-supplied inputs in issue descriptions, comments, and wiki articles to block malicious XML entity injection before parsing.

prevent

CM-6 requires secure configuration of the TextParser's simplexml_load_string() with LIBXML_NONET restrictions to disable external entity resolution.

prevent

SI-2 ensures timely remediation of the XXE flaw in Pachno 1.0.6 through patching or equivalent mitigations to prevent arbitrary file reads.

References