CVE-2026-40041

MEDIUM 4.3

Pachno 1.0.6 Cross-Site Request Forgery via State-Changing Endpoints

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload, milestone editing, and administrative functions to force logout, create accounts, modify roles, inject comments, or upload files when authenticated users visit attacker-controlled websites.

CWE	CWE-352
Vendor	pancho
Product	pachno
Published	Apr 13, 2026
Last Updated	Apr 13, 2026

Stay Ahead of the Next One

Get instant alerts for pancho pachno

Be the first to know when new medium vulnerabilities affecting pancho pachno are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

pancho / Pachno

1.0.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

zeroscience.mk: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5983.php vulncheck.com: https://www.vulncheck.com/advisories/pachno-cross-site-request-forgery-via-state-changing-endpoints

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab