These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
Cross-Site Request Forgery (CSRF) vulnerability in SOPlanning version 1.55 and below. The `groupe_save` endpoints for create, modify, and delete operations lack sufficient anti-CSRF protections, allowing an attacker to craft a malicious website that submits forged GET or POST requests on behalf of an authenticated user. The vulnerability was disclosed on 2026-06-01 with a MEDIUM severity CVSS 4.0 score of [truncated]
An authenticated attacker with access to SOPlanning's backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file. The application does not verify uploaded file extensions, and the archive is extracted on the server. When combined with CVE-2026-40547 (Path Traversal), the malicious file—such as a PHP script—can be placed in a web-accessible locati [truncated]
CVE-2026-40547 is a path traversal vulnerability in SOPlanning affecting versions 1.55 and below. The vulnerability exists in backup endpoints, where an authenticated remote attacker can construct payloads to read and execute files previously added through the backup functionality. The severity is compounded by CVE-2026-40543 (Missing Authorization), which allows any unauthorized user to read any backup f [truncated]
SOPlanning versions 1.55 and below contain SQL injection vulnerabilities across multiple endpoints and parameters. An attacker with low privileges can inject arbitrary SQL commands, potentially achieving full database control. The CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and high impacts to confidentiality and integrity with low availability impact. [truncated]
A reflected cross-site scripting (XSS) vulnerability exists in SOPlanning versions 1.55 and below. The flaw resides in the `taches` parameter, which fails to properly sanitize user-supplied input before reflecting it in the application's response. An attacker can construct a malicious URL containing JavaScript payloads; when an authenticated victim opens this URL, arbitrary JavaScript executes within the [truncated]
An authenticated stored cross-site scripting (XSS) vulnerability exists in SOPlanning versions 1.55 and below. The attack vector is the /process/upload_backup endpoint, where an authenticated attacker with backup functionality access can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code executes in a victim's browser when a user clicks the Edit b [truncated]
SOPlanning versions 1.55 and below expose backup functionality without authentication, allowing unauthenticated remote attackers to retrieve backup archives containing sensitive data including user databases with usernames and password hashes, and the config.csv configuration file. The vulnerability stems from missing authorization checks on backup-related endpoints (CWE-862). The CVSS 4.0 vector indicate [truncated]
