CVE-2026-40040
Received Received - Intake
Unrestricted File Upload in Pachno 1.0.6 Enables RCE

Publication date: 2026-04-13

Last updated on: 2026-04-13

Assigner: VulnCheck

Description
Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint. Attackers can upload executable files .php5 scripts to web-accessible directories and execute them to achieve remote code execution on the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40040
EUVD
EUVD-2026-22045
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pachno pachno to 1.0.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Pachno version 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to bypass ineffective file extension filtering on the /uploadfile endpoint.

This means attackers can upload arbitrary file types, including executable files such as .php5 scripts, to web-accessible directories.

Once these malicious files are uploaded, they can be executed remotely, leading to remote code execution (RCE) on the affected server.

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to gain unauthorized control over the affected server by executing arbitrary code remotely.

Such control can lead to data breaches, server compromise, disruption of services, and potentially further attacks within the network.

Detection Guidance

This vulnerability can be detected by monitoring the /uploadfile endpoint for unauthorized or suspicious file uploads, especially files with executable extensions such as .php5.

You can check the web-accessible directories for the presence of unexpected or newly uploaded executable files.

  • Use commands to find suspicious files, for example: find /var/www/html -type f -name '*.php5'
  • Check web server logs for POST requests to /uploadfile endpoint to identify unusual upload activity.
  • Use network monitoring tools to detect unusual traffic patterns or execution attempts of uploaded files.
Mitigation Strategies

Immediate mitigation steps include restricting or disabling file uploads to the /uploadfile endpoint for authenticated users until a patch is applied.

Implement stricter validation and filtering of uploaded files to prevent executable file types from being accepted.

Review and remove any suspicious or unauthorized executable files that may have already been uploaded.

Apply the latest security patches or upgrade Pachno to a version beyond 1.0.6 once available.

Monitor server logs and network traffic for signs of exploitation attempts.

Compliance Impact

The vulnerability allows authenticated users to upload and execute arbitrary files on the server, potentially leading to unauthorized access and control over sensitive data.

Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and security.

Therefore, exploitation of this vulnerability could lead to violations of these regulations due to compromised data security and privacy.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40040. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart