Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
SOPlanning is vulnerable to SQL Injection across multiple endpoints and parameters. Attacker with low privileges can inject arbitrary SQL commands, potentially gaining full control over the database.
This issue affects SOPlanning version 1.55 and below.
AnalysisAI
SQL injection in SOPlanning 1.55 and earlier allows authenticated low-privileged users to inject arbitrary SQL commands across multiple endpoints and parameters, potentially leading to full database compromise. The flaw was reported by CERT Polska and carries a CVSS 4.0 score of 8.7, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
SOPlanning (Simple Online Planning) is an open-source PHP/MySQL-based collaborative project planning and scheduling web application. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), indicating that user-controlled input across multiple endpoints and parameters is concatenated into SQL queries without proper parameterization or escaping. Because the issue spans multiple sinks rather than a single endpoint, it suggests a systemic lack of prepared statements throughout the affected codebase rather than an isolated coding error.
RemediationAI
No vendor-released patch identified at time of analysis; the CERT Polska advisory at https://cert.pl/en/posts/2026/06/CVE-2026-40543 and the vendor site https://www.soplanning.org/en/ should be monitored for a fixed release above 1.55. Until a patched version is available, restrict the SOPlanning web interface to trusted networks via firewall or VPN, remove or disable accounts that do not strictly require access (since any low-privileged credential is sufficient to exploit), and place a WAF in front of the application with SQL injection rule sets enabled - accepting that signature-based WAF rules will reduce but not eliminate risk and may produce false positives on legitimate planning data containing quotes or SQL keywords. Enforce least-privilege on the database account used by SOPlanning (no FILE, no cross-database, no DDL) to limit blast radius if exploitation occurs, and enable database query logging to detect anomalous statements.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33612
GHSA-fgqx-9q7r-qrvh