Cyber Resilience

CVE-2026-40044

CriticalPublic PoCRCE

Published: 13 April 2026

Published
13 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40044 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40044 is a deserialization vulnerability (CWE-502) in Pachno version 1.0.6, published on 2026-04-13T19:16:52.290 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw resides in the handling of cache files, where the framework unserializes data from world-writable cache files with predictable names during bootstrap, prior to any authentication checks.

Unauthenticated remote attackers can exploit this vulnerability by writing malicious PHP object payloads to the targeted cache files in the cache directory. Successful exploitation leads to arbitrary code execution on the server, granting high confidentiality, integrity, and availability impacts.

Advisories detailing mitigations and patches are available from VulnCheck at https://www.vulncheck.com/advisories/pachno-filecache-deserialization-remote-code-execution and Zero Science Lab at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5986.php.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which…

more

are unserialized during framework bootstrap before authentication checks occur.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an unauthenticated deserialization flaw in a public-facing web application (Pachno), allowing remote attackers to achieve arbitrary code execution by writing malicious payloads to world-writable cache files, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62368Shared CWE-502
CVE-2025-68903Shared CWE-502
CVE-2025-67911Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2026-22505Shared CWE-502
CVE-2025-53078Shared CWE-502
CVE-2026-43633Shared CWE-502
CVE-2025-60039Shared CWE-502
CVE-2026-25429Shared CWE-502
CVE-2025-7697Shared CWE-502

Affected Assets

Zeroscience
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the deserialization flaw in Pachno by identifying, reporting, and correcting the unsafe unserialization of cache files during bootstrap.

prevent

Establishes secure configuration settings for cache directories, such as non-world-writable permissions and unpredictable names, to block unauthorized writes of malicious serialized objects.

prevent

Validates or sanitizes serialized data from cache files prior to deserialization to mitigate execution of injected malicious PHP object payloads.

References