Description
SOPlanning is vulnerable to Reflected XSS via the taches parameter. An attacker can craft a malicious URL which, when opened by authenticated victim, results in arbitrary JavaScript execution in the victim’s browser.

This issue affects SOPlanning version 1.55 and below.
Published: 2026-06-01
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SOPlanning is vulnerable to reflected XSS via the taches parameter. An attacker can craft a malicious URL that, when opened by an authenticated victim, results in arbitrary JavaScript execution in the victim’s browser. This can lead to session hijacking, data theft, and manipulation of the victim’s data. The critical weakness is a reflected cross‑site scripting flaw, identified as CWE‑79.

Affected Systems

The vulnerability affects all installations of SOPlanning version 1.55 and below. No other product versions are known to be impacted.

Risk and Exploitability

The CVSS score of 5.1 classifies the vulnerability as medium severity. Exploitation requires the victim to be authenticated and to click a specially crafted link, indicating a social engineering or phishing component. EPSS is not available and the issue is not listed in the CISA KEV catalog, suggesting that active exploitation in the wild has not been observed to date. Still, because the exploitation vector is accessible via a URL and requires only an authenticated user, the risk remains significant for environments that expose the application to untrusted links.

Generated by OpenCVE AI on June 1, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest SOPlanning release that removes the vulnerable taches parameter or upgrade to a version newer than 1.55.
  • If upgrade is not immediately possible, remove or restrict the taches parameter from authenticated user requests, ensuring it cannot be supplied by external input.
  • Implement a strict content security policy to prevent the execution of arbitrary scripts originating from reflected input.

Generated by OpenCVE AI on June 1, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Soplanning
Soplanning soplanning
Vendors & Products Soplanning
Soplanning soplanning

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description SOPlanning is vulnerable to Reflected XSS via the taches parameter. An attacker can craft a malicious URL which, when opened by authenticated victim, results in arbitrary JavaScript execution in the victim’s browser. This issue affects SOPlanning version 1.55 and below.
Title Reflected XSS in SOPlanning
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Soplanning Soplanning
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-01T13:03:07.690Z

Reserved: 2026-04-14T09:44:27.613Z

Link: CVE-2026-40545

cve-icon Vulnrichment

Updated: 2026-06-01T13:03:03.897Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T09:16:17.287

Modified: 2026-06-01T16:37:15.140

Link: CVE-2026-40545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T10:30:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')