Open Redirection Vulnerability in Pachno Product by Vendor
CVE-2026-40039

7.1HIGH

Key Information:

Vendor

Pancho

Status
Pachno
Vendor
CVE Published:
13 April 2026

What is CVE-2026-40039?

The Pachno 1.0.6 product is vulnerable to an open redirection flaw, which allows attackers to manipulate the 'return_to' parameter. By crafting malicious login URLs with unvalidated 'return_to' values, attackers can redirect users to arbitrary external websites. This exploitation enables phishing attacks aimed at stealing user credentials, putting sensitive information at significant risk. It is vital for users of this version to update promptly to mitigate potential threats.

Affected Version(s)

Pachno 1.0.6

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-59...
third-party-advisory
https://www.vulncheck.com/advisories/pachno-open-redirect...
third-party-advisory

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

LiquidWorm as Gjoko Krstic of Zero Science Lab
.