CVE-2026-40044

CriticalPublic PoC

Published: 13 April 2026

Published

13 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which…

are unserialized during framework bootstrap before authentication checks occur.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the deserialization flaw in Pachno by identifying, reporting, and correcting the unsafe unserialization of cache files during bootstrap.

CM-6 Configuration Settings good match

prevent

Establishes secure configuration settings for cache directories, such as non-world-writable permissions and unpredictable names, to block unauthorized writes of malicious serialized objects.

SI-10 Information Input Validation partial match

prevent

Validates or sanitizes serialized data from cache files prior to deserialization to mitigate execution of injected malicious PHP object payloads.

Security SummaryAI

CVE-2026-40044 is a deserialization vulnerability (CWE-502) in Pachno version 1.0.6, published on 2026-04-13T19:16:52.290 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw resides in the handling of cache files, where the framework unserializes data from world-writable cache files with predictable names during bootstrap, prior to any authentication checks.

Unauthenticated remote attackers can exploit this vulnerability by writing malicious PHP object payloads to the targeted cache files in the cache directory. Successful exploitation leads to arbitrary code execution on the server, granting high confidentiality, integrity, and availability impacts.

Advisories detailing mitigations and patches are available from VulnCheck at https://www.vulncheck.com/advisories/pachno-filecache-deserialization-remote-code-execution and Zero Science Lab at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5986.php.

Details

CWE(s): CWE-502

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated deserialization flaw in a public-facing web application (Pachno), allowing remote attackers to achieve arbitrary code execution by writing malicious payloads to world-writable cache files, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.vulncheck.com/advisories/pachno-filecache-deserialization-remote-code-execution
disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5986.php
disclosure@vulncheck.com