CVE-2026-40543
Deferred
Deferred - Pending Action
Unauthenticated Backup Access in SOPlanning
Vulnerability report for CVE-2026-40543, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: CERT.PL
Description
Description
SOPlanning does not enforce authorization for backup functionalities.Β An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which includes additional sensitive information.
This issue affects SOPlanning version 1.55 and below.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| soplanning | soplanning | to 1.55 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |