Skip to main content

SOPlanning EUVDEUVD-2026-33611

| CVE-2026-40545 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 cvd@cert.pl GHSA-g36v-xj2q-4799
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 09:35 vuln.today

DescriptionCVE.org

SOPlanning is vulnerable to Reflected XSS via the taches parameter. An attacker can craft a malicious URL which, when opened by authenticated victim, results in arbitrary JavaScript execution in the victim’s browser.

This issue affects SOPlanning version 1.55 and below.

AnalysisAI

Reflected XSS in SOPlanning 1.55 and below allows unauthenticated attackers to execute arbitrary JavaScript in the browsers of authenticated SOPlanning users by delivering a crafted malicious URL containing a payload in the taches parameter. The vulnerability stems from insufficient output sanitization of user-supplied input before it is reflected in the HTTP response. No public exploit code or CISA KEV listing exists at time of analysis; this was reported by CERT Poland (CERT.PL) and carries a CVSS 4.0 score of 5.1 (Medium).

Technical ContextAI

SOPlanning is an open-source web-based planning and scheduling application. CWE-79 (Improper Neutralization of Input During Web Page Generation - Reflected XSS) arises here because the taches URL parameter is echoed back into the HTTP response without proper HTML encoding or output sanitization, allowing injected JavaScript to be executed by the victim's browser. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms the attack is network-reachable with no special system prerequisites or attacker authentication. The CVSS 4.0 impact model shows no direct compromise of the vulnerable system itself (VC:N/VI:N/VA:N) but Low confidentiality and integrity impact on the subsequent system (SC:L/SI:L), consistent with a reflected XSS that affects the victim's browser session and application context rather than the server. No CPE strings were included in the source data.

RemediationAI

No specific patched version was identified in the provided data; the patch status is 'no vendor-released patch confirmed at time of analysis.' Administrators should monitor the SOPlanning vendor site (https://www.soplanning.org/en/) and the CERT.PL advisory (https://cert.pl/en/posts/2026/06/CVE-2026-40543) for a patched release and apply it immediately when available. As a compensating control, deploying a web application firewall rule to detect and block requests where the taches parameter contains HTML metacharacters or JavaScript keywords can reduce exploitability; however, WAF rules are bypassable and must not substitute for a code-level fix. A secondary measure is restricting access to the SOPlanning instance to known internal networks or VPN, which limits the attacker's ability to deliver the malicious URL to victims from the public internet. Educating SOPlanning users to treat unsolicited links to the application with suspicion reduces the social engineering surface. All compensating controls carry trade-offs: WAF rules may produce false positives affecting legitimate planning data, and network restriction reduces accessibility for remote users.

Share

EUVD-2026-33611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy