CVE-2026-40038

Name of the Vulnerable Software and Affected Versions Pachno version 1.0.6

Description A stored cross-site scripting issue allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. The flaw exists because of improper sanitization via Request::getRawParameter() or Request::getParameter() calls. Scripts can be injected through the value, comment body, article content, description, and message parameters across multiple controllers, which are then stored in the database and executed in users' browser sessions.

Recommendations As a temporary workaround, restrict or sanitize the use of the value, comment body, article content, description, and message parameters in POST requests until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.