Pachno is an open-source collaboration platform (formerly known as The Bug Genie) designed for team project management, issue tracking, and documentation. It offers a module-based, customizable environment for software development and team workflows, distributed under the Mozilla Public License.
The application uses unserialize() function on the contents of cache files stored under {PACHNO_PATH}/cache/ during the framework bootstrap sequence, before any authentication, routing, or controller logic is executed. Cache files are created with world-writable permissions (chmod 0666) and use deterministic, predictable filenames derived from a small set of constants. An attacker who can write to the cache directory can inject a serialized PHP object payload that triggers arbitrary code execution on the next HTTP request.