Skip to main content

SOPlanning CVE-2026-40546

| EUVDEUVD-2026-33612 HIGH
SQL Injection (CWE-89)
2026-06-01 cvd@cert.pl GHSA-fgqx-9q7r-qrvh
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 09:31 vuln.today

DescriptionCVE.org

SOPlanning is vulnerable to SQL Injection across multiple endpoints and parameters. Attacker with low privileges can inject arbitrary SQL commands, potentially gaining full control over the database.

This issue affects SOPlanning version 1.55 and below.

AnalysisAI

SQL injection in SOPlanning 1.55 and earlier allows authenticated low-privileged users to inject arbitrary SQL commands across multiple endpoints and parameters, potentially leading to full database compromise. The flaw was reported by CERT Polska and carries a CVSS 4.0 score of 8.7, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

SOPlanning (Simple Online Planning) is an open-source PHP/MySQL-based collaborative project planning and scheduling web application. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), indicating that user-controlled input across multiple endpoints and parameters is concatenated into SQL queries without proper parameterization or escaping. Because the issue spans multiple sinks rather than a single endpoint, it suggests a systemic lack of prepared statements throughout the affected codebase rather than an isolated coding error.

RemediationAI

No vendor-released patch identified at time of analysis; the CERT Polska advisory at https://cert.pl/en/posts/2026/06/CVE-2026-40543 and the vendor site https://www.soplanning.org/en/ should be monitored for a fixed release above 1.55. Until a patched version is available, restrict the SOPlanning web interface to trusted networks via firewall or VPN, remove or disable accounts that do not strictly require access (since any low-privileged credential is sufficient to exploit), and place a WAF in front of the application with SQL injection rule sets enabled - accepting that signature-based WAF rules will reduce but not eliminate risk and may produce false positives on legitimate planning data containing quotes or SQL keywords. Enforce least-privilege on the database account used by SOPlanning (no FILE, no cross-database, no DDL) to limit blast radius if exploitation occurs, and enable database query logging to detect anomalous statements.

Share

CVE-2026-40546 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy