CVE-2026-40544
Stored XSS in SOPlanning via Malicious Backup Upload
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| soplanning | soplanning | to 1.56 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in SOPlanning versions 1.55 and below. An authenticated attacker who has access to the backup functionality can upload a specially crafted ZIP archive containing a malicious user.csv file with embedded JavaScript code. When a user later clicks the Edit button for the malicious backup, the injected JavaScript code executes in the victim's browser.
How can this vulnerability impact me? :
This vulnerability can lead to the execution of malicious JavaScript code in the context of a victim's browser. This can result in unauthorized actions such as stealing session cookies, performing actions on behalf of the user, or delivering further attacks like phishing or malware. Since the attacker must be authenticated and have access to the backup functionality, the risk is limited to users with such privileges, but it can still compromise user data and application integrity.