Unrestricted File Upload Vulnerability in Pachno by Third-Party Vendor
CVE-2026-40040

8.7HIGH

Key Information:

Vendor: Pancho
Status: Pachno
Vendor: CVE Published:; 13 April 2026

What is CVE-2026-40040?

The Pachno 1.0.6 version is vulnerable to an unrestricted file upload issue, allowing authenticated users to bypass the ineffective filtering of file extensions. This flaw permits the upload of arbitrary file types, including potentially malicious PHP scripts, to the /uploadfile endpoint. An attacker could exploit this by uploading executable files to web-accessible directories, thus achieving remote code execution and posing significant risks to the server's integrity and security.

Affected Version(s)

Pachno 1.0.6

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-59...

third-party-advisory

https://www.vulncheck.com/advisories/pachno-unrestricted-...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

LiquidWorm as Gjoko Krstic of Zero Science Lab

CVE-2026-40040 Data

JSON

Pancho

What is CVE-2026-40040?

Affected Version(s)

References

CVSS V4

Timeline

Credit