Description
SOPlanning is vulnerable to Stored Cross-Site Scripting (XSS) via /process/upload_backup endpoint. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code is executed in the victim’s browser when a user clicks the Edit button for the malicious backup.

This issue affects SOPlanning version 1.55 and below.
Published: 2026-06-01
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SOPlanning is vulnerable to a stored cross‑site scripting flaw through the /process/upload_backup endpoint. An authenticated attacker can upload a specially crafted ZIP archive containing a malicious user.csv file that embeds JavaScript. The injected code runs in the victim’s browser when that user clicks the Edit button for the malicious backup, allowing the attacker to execute arbitrary scripts in the context of the victim’s session and potentially exfiltrate confidential data or manipulate page content.

Affected Systems

Vendors and products impacted are SOPlanning, specifically all releases version 1.55 and earlier.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium‑severity vulnerability, and the EPSS score is currently unavailable, so the exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must first authenticate to the application, gain access to the backup upload feature, and then a target user must execute the Edit action on the malicious backup. Because of these prerequisites, the risk of exploitation is moderate, pending further public exploitation evidence.

Generated by OpenCVE AI on June 1, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SOPlanning to a version higher than 1.55 or apply any vendor‑supplied patch that addresses the stored XSS flaw.
  • Restrict the ability to upload and edit backup files to administrative or highly trusted accounts only, enforcing least privilege for all users.
  • Validate or sanitize the contents of uploaded backup files, rejecting or escaping any embedded JavaScript, and consider disabling script execution within backup‑derived content.

Generated by OpenCVE AI on June 1, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Soplanning
Soplanning soplanning
Vendors & Products Soplanning
Soplanning soplanning

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description SOPlanning is vulnerable to Stored Cross-Site Scripting (XSS) via /process/upload_backup endpoint. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code is executed in the victim’s browser when a user clicks the Edit button for the malicious backup. This issue affects SOPlanning version 1.55 and below.
Title Stored XSS in SOPlanning
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Soplanning Soplanning
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-01T13:06:47.877Z

Reserved: 2026-04-14T09:44:27.613Z

Link: CVE-2026-40544

cve-icon Vulnrichment

Updated: 2026-06-01T13:06:44.306Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T09:16:17.163

Modified: 2026-06-01T16:37:15.140

Link: CVE-2026-40544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T10:30:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')