SOPlanning version 1.52.00 contains an authentication‑borne SQL injection vulnerability located in projets.php, triggered when a user supplies a crafted statut[] array parameter. An attacker who can authenticate to the application can inject arbitrary SQL code into the backend database. Because the affected code directly incorporates the user‑supplied value into a query, the flaw can be used to read sensitive data, modify or delete records, or potentially pivot into other parts of the system depending on database privileges. The weakness is classified as SQL injection (CWE‑89).

The only explicitly identified affected product is SOPlanning 1.52.00. No vendor or additional product versions are listed in the CNA data, so any installation of SOPlanning at that version or newer than 1.52.00 but lacking a patch could be vulnerable if the same code path remains. The source of the vulnerability is the statut[] parameter in projets.php.

Exploitability data such as CVSS or EPSS are not currently provided, and the vulnerability is not listed in the CISA KEV catalogue. The attack requires prior authentication, so the threat set is limited to users who log into the application. However, a proof‑of‑concept exists on GitHub, indicating that a determined adversary can deliver the injection payload and extract or modify database content. Administrators should be aware that once an attacker gains access, the impact can be significant, leading to data loss or breach of business‑critical information.