CVE-2026-40042 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 13, 2026
Pachno - XML External Entity Injection
Overview
Pachno 1.0.6 contains an XML external entity injection caused by unsafe XML parsing in the TextParser helper, letting unauthenticated attackers read arbitrary files via wiki table syntax and inline tags, exploit requires crafted XML input in issue descriptions, comments, or wiki articles.
Severity & Score
Impact
Unauthenticated attackers can read arbitrary files, potentially exposing sensitive information.
Mitigation
Update to the latest version with patched XML parsing or apply patches that restrict entity resolution.
References
Social Media Activity(2 posts)
š“ CVE-2026-40042 - Critical (9.8) Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki ... š https://www.thehackerwire.com/vulnerability/CVE-2026-40042/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-40042 - Critical (9.8) Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki ... š https://www.thehackerwire.com/vulnerability/CVE-2026-40042/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40042
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- xml_external_entity_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-403
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H