Description
SOPlanning is vulnerable to SQL Injection across multiple endpoints and parameters. Attacker with low privileges can inject arbitrary SQL commands, potentially gaining full control over the database.

This issue affects SOPlanning version 1.55 and below.
Published: 2026-06-01
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

So planning is vulnerable to multiple SQL injections across several endpoints that accept user‑supplied parameters. An attacker with low privileges can inject arbitrary SQL commands, which may allow data theft, modification, or even full control over the database, compromising confidentiality, integrity, and availability. The flaw falls under CWE‑89, where improper sanitization of inputs permits malicious database queries.

Affected Systems

This issue affects the SOPlanning application from the SOPlanning vendor, specifically all releases version 1.55 and older. The CVE entry does not list any other affected builds, so any deployment of those or earlier minor revisions remains vulnerable.

Risk and Exploitability

The CVSS score of 8.7 categorises the vulnerability as high risk, and the lack of a listed KEV suggests no confirmed public exploits yet, though the exploit probability is currently unknown. Based on the description, the attack vector is likely via exposed web endpoints that accept user input; an authenticated user with low privileges could exploit the injection flaws to gain database access. The potential impact is significant, warranting urgent remediation.

Generated by OpenCVE AI on June 1, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SOPlanning installation to version 1.56 or later, which contains the fixed code.
  • If an upgrade is not immediately possible, implement strict input validation or move to parameterised queries for the vulnerable endpoints to block injection payloads.
  • Configure the database user accounts used by SOPlanning with the principle of least privilege and monitor for unexpected query activity.

Generated by OpenCVE AI on June 1, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Soplanning
Soplanning soplanning
Vendors & Products Soplanning
Soplanning soplanning

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description SOPlanning is vulnerable to SQL Injection across multiple endpoints and parameters. Attacker with low privileges can inject arbitrary SQL commands, potentially gaining full control over the database. This issue affects SOPlanning version 1.55 and below.
Title Multiple SQL Injections in SOPlanning
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Soplanning Soplanning
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-01T13:03:47.008Z

Reserved: 2026-04-14T09:44:27.613Z

Link: CVE-2026-40546

cve-icon Vulnrichment

Updated: 2026-06-01T13:03:43.055Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T09:16:17.400

Modified: 2026-06-01T16:37:15.140

Link: CVE-2026-40546

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T11:00:07Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')