CVE-2026-40038

Description

Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and message parameters across multiple controllers, which are stored in the database and executed in users' browser sessions due to improper sanitization via Request::getRawParameter() or Request::getParameter() calls.

PUBLISHED Reserved 2026-04-08 | Published 2026-04-13 | Updated 2026-05-24 | Assigner VulnCheck

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5980.php (Zero Science Lab Disclosure) third-party-advisory

www.vulncheck.com/...-site-scripting-via-multiple-parameters (VulnCheck Advisory: Pachno 1.0.6 Stored Cross-Site Scripting via Multiple Parameters) third-party-advisory

cve.org (CVE-2026-40038)

nvd.nist.gov (CVE-2026-40038)

Download JSON