Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
SOPlanning is vulnerable to Cross‑Site Request Forgery (CSRF) in groupe_save create, modify and delete endpoints. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged GET or POST request to the application.
This issue affects SOPlanning version 1.55 and below.
AnalysisAI
Cross-Site Request Forgery in SOPlanning 1.55 and below allows unauthenticated remote attackers to perform unauthorized group management operations - create, modify, or delete groups - by tricking an authenticated user into visiting a malicious webpage. The vulnerability affects the groupe_save endpoints, which accept forged GET or POST requests without validating request origin. No public exploit has been identified at time of analysis, and no KEV listing exists, but the low attack complexity and lack of privilege requirements for the attacker make social engineering viable against any authenticated user session.
Technical ContextAI
SOPlanning is an open-source online planning application. CWE-352 (Cross-Site Request Forgery) is the root cause: the application fails to implement anti-CSRF tokens or equivalent origin-validation mechanisms on the groupe_save endpoints responsible for creating, modifying, and deleting groups. Because browsers automatically include session cookies with cross-origin requests, a malicious third-party page can silently submit state-changing requests to the SOPlanning instance on behalf of an authenticated victim. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms network delivery with no special attack requirements and no privileges needed by the attacker, though active user interaction is required. Affected versions are SOPlanning 1.55 and all prior releases.
RemediationAI
No specific patched version number was provided in the available intelligence data; upstream fix status should be verified directly with the vendor at https://www.soplanning.org/en/ or via the CERT.PL advisory at https://cert.pl/en/posts/2026/06/CVE-2026-40543. If a patched release is available, upgrading to it is the primary recommended action. As a compensating control where upgrading is not immediately possible, deploying a web application firewall rule to enforce same-origin or same-site checks on POST requests to groupe_save endpoints can reduce exposure, though GET-based CSRF paths may require additional controls such as blocking unauthenticated cross-origin GET requests via reverse proxy configuration. Restricting SOPlanning access to internal networks or VPN reduces the attacker's ability to craft reliably reachable malicious pages that can reference the target instance. Training users with administrative or group-management roles to avoid clicking unvetted external links while authenticated to SOPlanning provides a behavioral layer of defense.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33615
GHSA-cxrr-8w2f-8vxj