| CVE ID | CVE-2026-50644 |
| Publication date | 09 July 2026 |
| Vendor | SOPlanning |
| Product | SOPlanning |
| Vulnerable versions | All before 1.56.01 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerability in SOPlanning software and participated in coordination of its disclosure.
The vulnerability CVE-2026-50644: SOPlanning is vulnerable to SQL injection in the audit retention configuration. An attacker holding parameters_all permissions can inject SQL commands into the audit configuration form which is then saved. The execution is triggered when the audit functionality is accessed (by the attacker or another user).
This issue was fixed in version 1.56.01
Credits
We thank Arkadiusz Marta for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.