CVE-2026-40042

Name of the Vulnerable Software and Affected Versions Pachno version 1.0.6

Description An XML external entity injection allows unauthenticated attackers to read arbitrary files. This occurs due to unsafe XML parsing in the TextParser helper, where malicious XML entities can be injected through wiki table syntax and inline tags in issue descriptions, comments, and wiki articles. This triggers entity resolution via the simplexml load string() function without LIBXML NONET restrictions.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.