Description
SOPlanning is vulnerable to Cross‑Site Request Forgery (CSRF) in groupe_save create, modify and delete endpoints. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged GET or POST request to the application.

This issue affects SOPlanning version 1.55 and below.
Published: 2026-06-01
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SOPlanning allows an attacker to forge state‑changing requests to group endpoints. By luring an authenticated user to a malicious site, the attacker can trigger GET or POST calls to create, modify, or delete groups without user consent. The effect is the unauthorized alteration or removal of group data, which may compromise the integrity of the application's data store.

Affected Systems

SOPlanning older than or equal to version 1.55, including all installations of SOPlanning 1.55 and earlier.

Risk and Exploitability

With a CVSS score of 5.1, the vulnerability is considered moderate severity. No EPSS score is available, and the vulnerability is not yet listed in CISA KEV, suggesting low to moderate exploitation probability. The attack vector is inferred to be external via a browser session, requiring the victim to be logged in to the application when visiting the attacker’s site.

Generated by OpenCVE AI on June 1, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SOPlanning to version 1.56 or later
  • If an immediate upgrade is not feasible, configure the application to reject state‑changing requests that lack a valid CSRF token and ensure that the token is tied to the user's session
  • Deploy a web‑application firewall rule or browser policy that blocks cross‑origin XHR or form submissions to the group endpoints

Generated by OpenCVE AI on June 1, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Soplanning
Soplanning soplanning
Vendors & Products Soplanning
Soplanning soplanning

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description SOPlanning is vulnerable to Cross‑Site Request Forgery (CSRF) in groupe_save create, modify and delete endpoints. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged GET or POST request to the application. This issue affects SOPlanning version 1.55 and below.
Title Cross-Site Request Forgery in SOPlanning
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Soplanning Soplanning
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-01T13:05:01.661Z

Reserved: 2026-04-14T09:44:27.613Z

Link: CVE-2026-40549

cve-icon Vulnrichment

Updated: 2026-06-01T13:04:57.894Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T09:16:17.777

Modified: 2026-06-01T16:37:15.140

Link: CVE-2026-40549

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T10:30:26Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)