PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40548 SOPlanning CVE debrief

An authenticated attacker with access to SOPlanning's backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file. The application does not verify uploaded file extensions, and the archive is extracted on the server. When combined with CVE-2026-40547 (Path Traversal), the malicious file—such as a PHP script—can be placed in a web-accessible location and executed via the browser. This issue affects SOPlanning version 1.55 and below. The vulnerability was published on 2026-06-01 and is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The CVSS 4.0 vector indicates network attack vector, low attack complexity, high privileges required, with high impacts to system confidentiality, integrity, and availability.

Vendor
SOPlanning
Product
Unknown
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations running SOPlanning 1.55 or below with backup functionality enabled for authenticated users. Security teams should prioritize this if backup access is widely granted or if CVE-2026-40547 remains unpatched in their environment.

Technical summary

SOPlanning versions 1.55 and below contain an unrestricted file upload vulnerability (CWE-434) in the backup functionality. The application fails to validate uploaded file extensions, allowing an authenticated attacker to submit a crafted ZIP archive. The archive is extracted server-side without adequate content inspection. The attacker includes a legitimate user.csv file to satisfy expected archive structure while embedding a malicious payload (e.g., PHP script). Successful exploitation requires combination with CVE-2026-40547 (Path Traversal) to write the malicious file to a web-accessible directory, after which it can be executed via HTTP request. The CVSS 4.0 score of 6.4 (MEDIUM) reflects the high privilege requirement (PR:H) with high subsequent impacts to system confidentiality, integrity, and availability (SC:H/SI:H/SA:H) once the vulnerability chain is exploited.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict access to SOPlanning backup functionality to the minimum number of authenticated accounts necessary
  • Upgrade SOPlanning to a version newer than 1.55 when available
  • Implement additional server-side validation to inspect ZIP archive contents before extraction
  • Configure the server to prevent execution of uploaded files in extraction directories
  • Apply principle of least privilege to the web server process to limit impact of successful exploitation
  • Monitor for unexpected file creation in web-accessible directories
  • Review and apply mitigations for CVE-2026-40547 if not already addressed, as this vulnerability requires that path traversal issue for full exploitation

Evidence notes

The CVE description states SOPlanning does not verify uploaded file extensions and that an authenticated attacker with backup functionality access can upload a crafted ZIP archive. The archive extraction occurs server-side. The description explicitly references combination with CVE-2026-40547 (Path Traversal) to achieve remote code execution via web-accessible file placement. Affected versions are stated as 1.55 and below. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H) was provided in source metadata. CWE-434 is identified as the weakness. Vendor attribution is based on reference domain candidate 'Soplanning' with low confidence and needs review flag.

Official resources

2026-06-01