PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40547 SOPlanning CVE debrief

CVE-2026-40547 is a path traversal vulnerability in SOPlanning affecting versions 1.55 and below. The vulnerability exists in backup endpoints, where an authenticated remote attacker can construct payloads to read and execute files previously added through the backup functionality. The severity is compounded by CVE-2026-40543 (Missing Authorization), which allows any unauthorized user to read any backup file. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no user interaction required, and high impacts to confidentiality, integrity, and availability of subsequent systems. The vulnerability was published on June 1, 2026, with a medium severity rating of 6.4. The vendor attribution is based on reference domain candidate evidence pointing to Soplanning, though confidence is low and requires review.

Vendor
SOPlanning
Product
Unknown
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations running SOPlanning versions 1.55 or below for project planning and scheduling. Security teams managing web application portfolios with backup functionality. Incident response teams tracking exploitation of path traversal in PHP-based project management tools. Compliance officers responsible for ensuring backup data access controls meet authorization requirements.

Technical summary

The vulnerability resides in SOPlanning's backup endpoints where insufficient path validation allows directory traversal. An authenticated attacker can manipulate file path parameters to access files outside the intended backup directory. Because backup functionality may store files with predictable names or locations, and because CVE-2026-40543 removes authorization requirements for backup file access, the attack surface extends to unauthenticated actors. The CVSS 4.0 scoring reflects high subsequent system impacts (SC:H/SI:H/SA:H) despite low direct impacts, suggesting the vulnerability enables further compromise of underlying infrastructure. The attack requires no user interaction and low attack complexity, though privileges are required (PR:H) for the base path traversal exploitation.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade SOPlanning to a version newer than 1.55 as soon as a patched release becomes available
  • Restrict network access to SOPlanning backup endpoints to authorized administrative hosts only
  • Implement additional authorization controls on backup endpoints independent of application-level fixes
  • Monitor for unauthorized access attempts to backup file paths and anomalous file read operations
  • Review backup file storage locations to ensure they do not contain sensitive or executable content that could be targeted through path traversal
  • Apply mitigations for CVE-2026-40543 (Missing Authorization) in conjunction with addressing this vulnerability, as the two issues compound each other
  • Validate and sanitize all user-supplied path parameters in backup-related functionality to prevent directory traversal sequences

Evidence notes

Path traversal in backup endpoints confirmed by official vulnerability database source (NVD). Missing authorization vulnerability CVE-2026-40543 referenced as compounding factor. CVSS 4.0 vector provided: AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) identified as primary weakness. Affected versions explicitly stated as 1.55 and below.

Official resources

2026-06-01T09:16:17.513Z