Pachno 1.0.6 FileCache Deserialization Remote Code Execution

Description

Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which are unserialized during framework bootstrap before authentication checks occur.

Affected Products

Vendor	Product	Versions
pachno	pachno	1.0.6

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5986.php(third-party-advisory)
https://www.vulncheck.com/advisories/pachno-filecache-deserialization-remote-code-execution(third-party-advisory)

Related News (1 articles)

Tier C

VulDB5d ago

CVE-2026-40044 | Pachno 1.0.6 deserialization (ZSL-2026-5986)

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

CWECWE-502

PublishedApr 13, 2026

Last enriched5d agov2

Community Vote

Version History

Last enriched 5d ago

v2Tier C5d ago

Updated severity to CRITICAL and added CVE-2026-40044 as a new tag.

severitytags

via VulDB

v15d ago

Initial creation

Pachno 1.0.6 FileCache Deserialization Remote Code Execution

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (4)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History