CVE-2026-40044
Published: 13 April 2026
Summary
CVE-2026-40044 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40044 is a deserialization vulnerability (CWE-502) in Pachno version 1.0.6, published on 2026-04-13T19:16:52.290 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw resides in the handling of cache files, where the framework unserializes data from world-writable cache files with predictable names during bootstrap, prior to any authentication checks.
Unauthenticated remote attackers can exploit this vulnerability by writing malicious PHP object payloads to the targeted cache files in the cache directory. Successful exploitation leads to arbitrary code execution on the server, granting high confidentiality, integrity, and availability impacts.
Advisories detailing mitigations and patches are available from VulnCheck at https://www.vulncheck.com/advisories/pachno-filecache-deserialization-remote-code-execution and Zero Science Lab at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5986.php.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22053
Vulnerability details
Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which…
more
are unserialized during framework bootstrap before authentication checks occur.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated deserialization flaw in a public-facing web application (Pachno), allowing remote attackers to achieve arbitrary code execution by writing malicious payloads to world-writable cache files, directly mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the deserialization flaw in Pachno by identifying, reporting, and correcting the unsafe unserialization of cache files during bootstrap.
Establishes secure configuration settings for cache directories, such as non-world-writable permissions and unpredictable names, to block unauthorized writes of malicious serialized objects.
Validates or sanitizes serialized data from cache files prior to deserialization to mitigate execution of injected malicious PHP object payloads.