Skip to main content

SOPlanning EUVDEUVD-2026-33613

| CVE-2026-40547 MEDIUM
Path Traversal (CWE-22)
2026-06-01 cvd@cert.pl GHSA-6g52-vww8-5mh5
6.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 09:36 vuln.today

DescriptionCVE.org

SOPlanning is vulnerable to Path Traversal in backup endpoints. Authenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow reading and executing files previously added through the backup functionality. Critically, due to CVE-2026-40543 (Missing Authorization), any backup file can be read by any (unauthorized) user.

This issue affects SOPlanning version 1.55 and below.

AnalysisAI

Path traversal in SOPlanning 1.55 and below exposes backup endpoints to arbitrary file read and execution, allowing a high-privilege authenticated attacker to construct payloads that traverse directories and interact with files previously stored via the backup functionality. The standalone vulnerability's PR:H authentication barrier is critically undermined by a companion flaw, CVE-2026-40543 (Missing Authorization), which removes authorization enforcement on backup file access entirely - enabling any unauthenticated user to read backup files. The combined exploit chain elevates practical risk well above what the standalone CVSS 6.4 score implies, with downstream High impacts across Confidentiality, Integrity, and Availability. No public exploit or CISA KEV listing has been identified at time of analysis.

Technical ContextAI

SOPlanning is an open-source web-based project planning and scheduling application. CWE-22 (Path Traversal) describes a failure to sanitize special path elements such as '../' in user-supplied input before using it to construct filesystem paths, allowing an attacker to escape the intended directory scope. In this case, the flaw resides in backup-related endpoints where path components derived from user input are not adequately validated. Notably, the vulnerability permits not only reading but also executing files previously introduced via the backup functionality, suggesting the application's backup mechanism accepts files that may include server-side executable content (e.g., PHP scripts) and that the endpoint processes them without execution restrictions. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N) with downstream component impacts (SC:H/SI:H/SA:H) reflects that exploitation can compromise systems and resources beyond the vulnerable SOPlanning instance itself. The companion CVE-2026-40543 represents a Missing Authorization (CWE-862) flaw affecting the same backup subsystem.

RemediationAI

No specific patched version number was provided in the available data; administrators must consult the vendor advisory at https://www.soplanning.org/en/ to determine whether an updated release is available and upgrade immediately if so. As an interim compensating control, restrict unauthenticated and low-privilege access to all backup-related endpoints at the web server or reverse proxy layer (e.g., deny requests matching backup route patterns to non-administrative sessions) - this addresses the Missing Authorization component of the chain (CVE-2026-40543) and raises the bar back to PR:H. Additionally, configure the web server to deny script execution within the backup storage directory (e.g., set PHP or CGI handler restrictions on that path), which prevents the execution primitive even if path traversal is triggered. If the backup functionality is not operationally required, disabling it entirely eliminates both CVE-2026-40547 and CVE-2026-40543. Note that access restriction at the web server layer is a mitigation, not a fix - it can be misconfigured and does not address the root cause in application code.

Share

EUVD-2026-33613 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy