Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
SOPlanning is vulnerable to Reflected XSS via the taches parameter. An attacker can craft a malicious URL which, when opened by authenticated victim, results in arbitrary JavaScript execution in the victim’s browser.
This issue affects SOPlanning version 1.55 and below.
AnalysisAI
Reflected XSS in SOPlanning 1.55 and below allows unauthenticated attackers to execute arbitrary JavaScript in the browsers of authenticated SOPlanning users by delivering a crafted malicious URL containing a payload in the taches parameter. The vulnerability stems from insufficient output sanitization of user-supplied input before it is reflected in the HTTP response. No public exploit code or CISA KEV listing exists at time of analysis; this was reported by CERT Poland (CERT.PL) and carries a CVSS 4.0 score of 5.1 (Medium).
Technical ContextAI
SOPlanning is an open-source web-based planning and scheduling application. CWE-79 (Improper Neutralization of Input During Web Page Generation - Reflected XSS) arises here because the taches URL parameter is echoed back into the HTTP response without proper HTML encoding or output sanitization, allowing injected JavaScript to be executed by the victim's browser. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms the attack is network-reachable with no special system prerequisites or attacker authentication. The CVSS 4.0 impact model shows no direct compromise of the vulnerable system itself (VC:N/VI:N/VA:N) but Low confidentiality and integrity impact on the subsequent system (SC:L/SI:L), consistent with a reflected XSS that affects the victim's browser session and application context rather than the server. No CPE strings were included in the source data.
RemediationAI
No specific patched version was identified in the provided data; the patch status is 'no vendor-released patch confirmed at time of analysis.' Administrators should monitor the SOPlanning vendor site (https://www.soplanning.org/en/) and the CERT.PL advisory (https://cert.pl/en/posts/2026/06/CVE-2026-40543) for a patched release and apply it immediately when available. As a compensating control, deploying a web application firewall rule to detect and block requests where the taches parameter contains HTML metacharacters or JavaScript keywords can reduce exploitability; however, WAF rules are bypassable and must not substitute for a code-level fix. A secondary measure is restricting access to the SOPlanning instance to known internal networks or VPN, which limits the attacker's ability to deliver the malicious URL to victims from the public internet. Educating SOPlanning users to treat unsolicited links to the application with suspicion reduces the social engineering surface. All compensating controls carry trade-offs: WAF rules may produce false positives affecting legitimate planning data, and network restriction reduces accessibility for remote users.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33611
GHSA-g36v-xj2q-4799