Stored Cross-Site Scripting Vulnerability in Pachno by Pachno Systems
CVE-2026-40038

5.1MEDIUM

Key Information:

Vendor: Pancho
Status: Pachno
Vendor: CVE Published:; 13 April 2026

What is CVE-2026-40038?

Pachno version 1.0.6 is susceptible to a stored cross-site scripting (XSS) vulnerability that enables attackers to inject and execute arbitrary HTML or script code. This exploit can be activated by inserting malicious payloads into POST parameters, exploiting fields such as value, comment_body, article_content, description, and message across various controllers. Due to inadequate sanitization mechanisms implemented through Request::getRawParameter() or Request::getParameter() calls, these scripts are stored in the database and subsequently executed in users' browser sessions, potentially leading to unauthorized access or manipulation of user data.

Affected Version(s)

Pachno 1.0.6

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-59...

third-party-advisory

https://www.vulncheck.com/advisories/pachno-stored-cross-...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

LiquidWorm as Gjoko Krstic of Zero Science Lab

CVE-2026-40038 Data

JSON

Pancho

What is CVE-2026-40038?

Affected Version(s)

References

CVSS V4

Timeline

Credit