PatchSiren cyber security CVE debrief

CVE-2026-40545 SOPlanning CVE debrief

A reflected cross-site scripting (XSS) vulnerability exists in SOPlanning versions 1.55 and below. The flaw resides in the `taches` parameter, which fails to properly sanitize user-supplied input before reflecting it in the application's response. An attacker can construct a malicious URL containing JavaScript payloads; when an authenticated victim opens this URL, arbitrary JavaScript executes within the victim's browser context. This is a client-side attack requiring user interaction (clicking a crafted link), which limits its exploitability but still poses meaningful risk for session hijacking, phishing, or unauthorized actions within the application. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, and user interaction required, with low impacts to confidentiality and integrity sub-scores. The vulnerability was disclosed on June 1, 2026, with CERT.PL as the reporting source. No known exploitation in ransomware campaigns has been documented.

Vendor: SOPlanning
Product: Unknown
CVSS: MEDIUM 5.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-01
Original CVE updated: 2026-06-01
Advisory published: 2026-06-01
Advisory updated: 2026-06-01

Who should care

SOPlanning administrators, security teams managing project planning software, and organizations using SOPlanning ≤1.55 with authenticated user bases.

Technical summary

Reflected XSS in SOPlanning ≤1.55 via unsanitized `taches` parameter; arbitrary JavaScript execution in authenticated victim's browser upon malicious URL access.

Defensive priority

medium

Recommended defensive actions

Upgrade SOPlanning to a version newer than 1.55 when available; verify vendor release notes for explicit XSS remediation in the `taches` parameter.
Implement Content Security Policy (CSP) headers to mitigate impact of reflected XSS by restricting script execution sources.
Apply context-aware output encoding for all user-controllable parameters, particularly `taches`, using HTML entity encoding for reflected values.
Deploy web application firewall (WAF) rules to detect and block common XSS payloads in the `taches` parameter and similar query strings.
Review application logs for anomalous requests containing `<script>`, `javascript:`, or encoded variants in the `taches` parameter as potential exploitation indicators.
Educate users against clicking unsolicited links, especially while authenticated to SOPlanning, to reduce social engineering attack surface.

Evidence notes

CVE description confirms reflected XSS via `taches` parameter affecting SOPlanning ≤1.55. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. CWE-79 (Improper Neutralization of Input During Web Page Generation) assigned as primary weakness. Source references include CERT.PL advisory and SOPlanning vendor website. Vendor attribution marked low confidence with review flag due to 'Unknown Vendor' classification in source data.

Official resources

2026-06-01