Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Tools
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerabilities in SOPlanning software
01 June 2026 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2026-40543
Publication date 01 June 2026
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All through 1.55
Vulnerability type (CWE) Missing Authorization (CWE-862)
Report source Report to CERT Polska
CVE ID CVE-2026-40544
Publication date 01 June 2026
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All through 1.55
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source Report to CERT Polska
CVE ID CVE-2026-40545
Publication date 01 June 2026
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All through 1.55
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source Report to CERT Polska
CVE ID CVE-2026-40546
Publication date 01 June 2026
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All through 1.55
Vulnerability type (CWE) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Report source Report to CERT Polska
CVE ID CVE-2026-40547
Publication date 01 June 2026
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All through 1.55
Vulnerability type (CWE) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Report source Report to CERT Polska
CVE ID CVE-2026-40548
Publication date 01 June 2026
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All through 1.55
Vulnerability type (CWE) Unrestricted Upload of File with Dangerous Type (CWE-434)
Report source Report to CERT Polska
CVE ID CVE-2026-40549
Publication date 01 June 2026
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All through 1.55
Vulnerability type (CWE) Cross-Site Request Forgery (CSRF) (CWE-352)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in SOPlanning software and participated in coordination of their disclosure.

The vulnerability CVE-2026-40543: SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which includes additional sensitive information.

The vulnerability CVE-2026-40544: SOPlanning is vulnerable to Stored Cross-Site Scripting (XSS) via /process/upload_backup endpoint. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code is executed in the victim’s browser when a user clicks the Edit button for the malicious backup.

The vulnerability CVE-2026-40545: SOPlanning is vulnerable to Reflected XSS via the taches parameter. An attacker can craft a malicious URL which, when opened by authenticated victim, results in arbitrary JavaScript execution in the victim’s browser.

The vulnerability CVE-2026-40546: SOPlanning is vulnerable to SQL Injection across multiple endpoints and parameters. Attacker with low privileges can inject arbitrary SQL commands, potentially gaining full control over the database.

The vulnerability CVE-2026-40547: SOPlanning is vulnerable to Path Traversal in backup endpoints. Authenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow reading and executing files previously added through the backup functionality. Critically, due to CVE-2026-40543 (Missing Authorization), any backup file can be read by any (unauthorized) user.

The vulnerability CVE-2026-40548: SOPlanning does not verify uploaded file extension. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file, which is extracted on the server. When combined with CVE-2026-40547 (Path Traversal), the malicious file (e.g., a PHP script) can be placed in a web-accessible location and executed via the browser.

The vulnerability CVE-2026-40549: SOPlanning is vulnerable to Cross‑Site Request Forgery (CSRF) in groupe_save create, modify and delete endpoints. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged GET or POST request to the application.

These issues affect SOPlanning version 1.55 and below.

Credits

We thank Łukasz Jaworski for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.