{"id":46373,"date":"2026-04-13T13:52:27","date_gmt":"2026-04-13T13:52:27","guid":{"rendered":"http:\/\/localhost\/?p=46373"},"modified":"2026-04-13T13:52:27","modified_gmt":"2026-04-13T13:52:27","slug":"pachno-106-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=46373","title":{"rendered":"\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting_PACKETSTORM:218854"},"content":{"rendered":"

{“lastseen”:”2026-04-13T17:45:45″,”description”:”Pachno version 1.0.6 suffers from persistent cross site scripting vulnerabilities…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:218854″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”Pachno 1.0.6 Stored Cross-Site Scripting\\n \\n \\n Vendor: Daniel Andr\u00e9 Eikeland\\n Product web page: https:\/\/github.com\/pachno\/pachno\\n Affected version: 1.0.6\\n \\n Summary: Pachno is an open-source collaboration platform (formerly known as The Bug Genie)\\n designed for team project management, issue tracking, and documentation. It offers a module-based,\\n customizable environment for software development and team workflows, distributed under the\\n Mozilla Public License.\\n \\n Desc: Input passed to the POST parameters value, comment_body, article_content, description\\n and message via multiple controllers is not properly sanitised before being stored in the\\n database and returned to the user. The application explicitly bypasses its own htmlspecialchars()\\n sanitiser by calling Request::getRawParameter() or Request::getParameter($name, null, false).\\n This can be exploited to execute arbitrary HTML and script code in a user’s browser session in\\n context of an affected site.\\n \\n Tested on: GNU\/Linux\\n Apache2\\n PHP\/7.4\\n MySQL\/5.7 (MariaDB)\\n \\n \\n Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic\\n @zeroscience\\n \\n \\n Advisory ID: ZSL-2026-5980\\n Advisory URL: https:\/\/www.zeroscience.mk\/#\/advisories\/ZSL-2026-5980\\n \\n \\n 06.04.2026\\n \\n –\\n \\n \\n POST \/docs\/r\/123\/edit HTTP\/1.1\\n Host: 127.0.0.1\\n Content-Type: application\/x-www-form-urlencoded\\n Cookie: username=zeroscience; session_token=0123xxx\\n \\n article_content=\\u003csvg onload=alert(‘251’)\\u003e”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218854″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218854\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-04-13T17:45:45″,”description”:”Pachno version 1.0.6 suffers from persistent cross site scripting vulnerabilities…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:218854″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”Pachno 1.0.6 Stored Cross-Site Scripting\\n \\n \\n Vendor: Daniel Andr\u00e9 Eikeland\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-46373","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting_PACKETSTORM:218854 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=46373\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting_PACKETSTORM:218854 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-04-13T17:45:45″,”description”:”Pachno version 1.0.6 suffers from persistent cross site scripting vulnerabilities…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:218854″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”Pachno 1.0.6 Stored Cross-Site Scriptingn n n Vendor: Daniel Andr\u00e9 Eikelandn...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=46373\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-13T13:52:27+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46373#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46373\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting_PACKETSTORM:218854\",\"datePublished\":\"2026-04-13T13:52:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46373\"},\"wordCount\":337,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=46373#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46373\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46373\",\"name\":\"\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting_PACKETSTORM:218854 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-04-13T13:52:27+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46373#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=46373\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46373#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting_PACKETSTORM:218854\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting_PACKETSTORM:218854 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=46373","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting_PACKETSTORM:218854 - zero redgem","og_description":"{“lastseen”:”2026-04-13T17:45:45″,”description”:”Pachno version 1.0.6 suffers from persistent cross site scripting vulnerabilities…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:218854″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”Pachno 1.0.6 Stored Cross-Site Scriptingn n n Vendor: Daniel Andr\u00e9 Eikelandn...","og_url":"https:\/\/zero.redgem.net\/?p=46373","og_site_name":"zero redgem","article_published_time":"2026-04-13T13:52:27+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=46373#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=46373"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting_PACKETSTORM:218854","datePublished":"2026-04-13T13:52:27+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=46373"},"wordCount":337,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=46373#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=46373","url":"https:\/\/zero.redgem.net\/?p=46373","name":"\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting_PACKETSTORM:218854 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-04-13T13:52:27+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=46373#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=46373"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=46373#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Pachno 1.0.6 Cross Site Scripting_PACKETSTORM:218854"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/46373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=46373"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/46373\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=46373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=46373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=46373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}