CVE-2026-40044

Description

Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which are unserialized during framework bootstrap before authentication checks occur.

References

• https://www.vulncheck.com/advisories/pachno-filecache-deserialization-remote-code-execution
• https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5986.php