Description
SOPlanning 1.52.00 is vulnerable to SQL Injection by an authenticated user via projets.php with statut[].
Published: 2026-05-08
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SOPlanning version 1.52.00 contains an authentication‑borne SQL injection vulnerability located in projets.php, triggered when a user supplies a crafted statut[] array parameter. An attacker who can authenticate to the application can inject arbitrary SQL code into the backend database. Because the affected code directly incorporates the user‑supplied value into a query, the flaw can be used to read sensitive data, modify or delete records, or potentially pivot into other parts of the system depending on database privileges. The weakness is classified as SQL injection (CWE‑89).

Affected Systems

The only explicitly identified affected product is SOPlanning 1.52.00. No vendor or additional product versions are listed in the CNA data, so any installation of SOPlanning at that version or newer than 1.52.00 but lacking a patch could be vulnerable if the same code path remains. The source of the vulnerability is the statut[] parameter in projets.php.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, while the EPSS score remains low at <1% and the vulnerability is not listed in the CISA KEV catalog. The attack requires prior authentication, so the threat set is limited to users who log into the application. However, a proof‑of‑concept exists on GitHub, indicating that a determined adversary can deliver the injection payload and extract or modify database content. Once an attacker gains access, the impact can be significant, leading to data loss or breach of business‑critical information.

Generated by OpenCVE AI on May 8, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest available version of SOPlanning that contains the fix for the SQL injection in projets.php.
  • Restrict access to projets.php, granting the minimum permissions required for legitimate users and preventing execution by ordinary authenticated users if possible.
  • Implement server‑side input validation and parameterized queries for any user‑controlled input, especially the statut[] array.
  • Deploy a web application firewall or intrusion detection system configured to flag and block suspicious SQL injection patterns targeting projets.php.

Generated by OpenCVE AI on May 8, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Soplanning
Soplanning soplanning
Vendors & Products Soplanning
Soplanning soplanning

Fri, 08 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title SQL Injection via statut[] in projets.php of SOPlanning 1.52.00

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 06:45:00 +0000

Type Values Removed Values Added
Title SQL Injection via statut[] in projets.php of SOPlanning 1.52.00
Weaknesses CWE-89

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
Description SOPlanning 1.52.00 is vulnerable to SQL Injection by an authenticated user via projets.php with statut[].
References

Subscriptions

Soplanning Soplanning
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T17:45:14.137Z

Reserved: 2024-04-26T00:00:00.000Z

Link: CVE-2024-33722

cve-icon Vulnrichment

Updated: 2026-05-08T17:45:09.602Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T06:16:09.417

Modified: 2026-05-08T18:16:32.147

Link: CVE-2024-33722

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:24:07Z

Weaknesses