CVE-2026-40038
Stored XSS in Pachno 1.0.6 via Unsanitized POST Parameters
Publication date: 2026-04-13
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40038 is a stored cross-site scripting (XSS) vulnerability in Pachno version 1.0.6. It allows attackers to inject and execute arbitrary HTML and script code by submitting malicious payloads through multiple POST parameters such as value, comment_body, article_content, description, and message.
These parameters are processed across various controllers and stored in the database without proper sanitization because the application uses Request::getRawParameter() or Request::getParameter() methods that fail to neutralize harmful input.
When users access the stored data, the malicious scripts execute in their browsers, potentially leading to harmful effects like session hijacking or defacement.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in your browser when you access affected data. This can lead to session hijacking, where attackers steal your session tokens, defacement of web content, or other malicious actions that compromise your interaction with the affected application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and inspecting POST requests to the affected Pachno 1.0.6 application for malicious payloads injected into the parameters: value, comment_body, article_content, description, and message.
You can use web application security testing tools or intercepting proxies (such as Burp Suite or OWASP ZAP) to capture and analyze POST requests for suspicious script tags or HTML code in these parameters.
Additionally, searching the database for stored entries containing suspicious script or HTML tags in these fields can help identify exploitation attempts.
- Use curl or similar command-line tools to send crafted POST requests with test XSS payloads to the application endpoints and observe responses.
- Example curl command to test injection in the 'comment_body' parameter: curl -X POST -d "comment_body=<script>alert('XSS')</script>" https://your-pachno-instance/path
- Query the database for entries containing script tags in the vulnerable fields, for example: SELECT * FROM comments WHERE comment_body LIKE '%<script>%';
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user input on the server side, especially for the parameters value, comment_body, article_content, description, and message.
Since the vulnerability arises from improper sanitization via Request::getRawParameter() or Request::getParameter(), avoid using these methods without proper input neutralization.
Implement or enable output encoding/escaping mechanisms to prevent execution of injected scripts when displaying stored data.
If available, apply patches or updates provided by the vendor that address this vulnerability.
As a temporary measure, consider filtering or blocking suspicious input patterns at the web application firewall (WAF) or reverse proxy level.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the stored cross-site scripting vulnerability in Pachno 1.0.6 directly affects compliance with common standards and regulations such as GDPR or HIPAA.