Cyber Posture

CVE-2026-40042

CriticalPublic PoC

Published: 13 April 2026

Published
13 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 18.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40042 is a critical-severity File Descriptor Leak (CWE-403) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation of user-supplied inputs in issue descriptions, comments, and wiki articles to block malicious XML entity injection before parsing.

CM-6 Configuration Settings good match
prevent

CM-6 requires secure configuration of the TextParser's simplexml_load_string() with LIBXML_NONET restrictions to disable external entity resolution.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely remediation of the XXE flaw in Pachno 1.0.6 through patching or equivalent mitigations to prevent arbitrary file reads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

XXE in public-facing Pachno web app enables remote unauthenticated exploitation of the application (T1190) and direct arbitrary local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki table syntax and inline tags in…

more

issue descriptions, comments, and wiki articles to trigger entity resolution via simplexml_load_string() without LIBXML_NONET restrictions.

Deeper analysisAI

Pachno version 1.0.6 is affected by CVE-2026-40042, an XML external entity (XXE) injection vulnerability in the TextParser helper. The flaw arises from unsafe XML parsing using simplexml_load_string() without LIBXML_NONET restrictions, enabling the injection of malicious XML entities. This issue, classified under CWE-403, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-13.

Unauthenticated attackers can exploit the vulnerability remotely with low complexity and no user interaction required. By injecting malicious XML entities through wiki table syntax and inline tags in issue descriptions, comments, or wiki articles, attackers trigger entity resolution to read arbitrary files on the server. The high confidentiality, integrity, and availability impacts allow potential full compromise of the affected Pachno instance.

Advisories from VulnCheck (https://www.vulncheck.com/advisories/pachno-wiki-textparser-xml-external-entity-injection) and Zero Science (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5984.php) provide further details on the vulnerability for security practitioners to review mitigation strategies and patches.

Details

CWE(s)
CWE-403

Affected Products

Zeroscience
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-58280Shared CWE-403

References