Skip to main content

SOPlanning CVE-2026-40544

| EUVDEUVD-2026-33610 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 cvd@cert.pl GHSA-hgm3-4mgq-cfx8
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 09:35 vuln.today

DescriptionCVE.org

SOPlanning is vulnerable to Stored Cross-Site Scripting (XSS) via /process/upload_backup endpoint. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code is executed in the victim’s browser when a user clicks the Edit button for the malicious backup.

This issue affects SOPlanning version 1.55 and below.

AnalysisAI

Stored XSS in SOPlanning 1.55 and earlier allows an authenticated low-privileged attacker to persist malicious JavaScript inside the application by uploading a crafted backup archive through the /process/upload_backup endpoint. The payload, embedded in a user.csv file within a ZIP, executes in a victim's browser when they click the Edit button on the affected backup entry - enabling session hijacking or UI manipulation against any user who interacts with the backup management interface. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.1 correctly reflects the constrained impact ceiling imposed by required authentication and passive user interaction.

Technical ContextAI

SOPlanning is an open-source web-based planning and scheduling application. The vulnerability originates in the backup restore workflow, specifically the /process/upload_backup endpoint, which accepts a ZIP archive and processes its contents - including CSV files such as user.csv - without applying sufficient output encoding before rendering that data back in the browser interface. CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: attacker-controlled string data flows from the uploaded CSV into HTML output without sanitization, allowing JavaScript to be stored server-side and later reflected into a victim's browser. The CVSS 4.0 vector (AV:N/AC:L/AT:N) confirms no special network position or additional prerequisites beyond credentials are required for the upload phase. No CPE string was provided in the available data.

RemediationAI

Upgrade SOPlanning to a version above 1.55 as the primary remediation; consult the vendor directly at https://www.soplanning.org/en/ to confirm the latest patched release, as no specific fixed version number was identified in the available input data - patch availability and the exact fix version must be verified with the vendor before deployment. As a compensating control, restrict access to the /process/upload_backup endpoint to only highly trusted administrative accounts, reducing the population of users capable of triggering the injection; this does not eliminate the risk but substantially raises the attacker privilege bar. Deploying a Content Security Policy header restricting inline script execution (e.g., script-src 'self') at the web server or reverse proxy layer would prevent stored JavaScript payloads from executing even if malicious content is present - though this requires server-side configuration changes and should be tested against legitimate application JavaScript functionality to avoid breakage. Relying on user vigilance around the Edit button is not a viable control.

Share

CVE-2026-40544 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy