CVE-2026-40547
Deferred Deferred - Pending Action
Path Traversal in SOPlanning Backup Endpoints

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: CERT.PL

Description
SOPlanning is vulnerable to Path Traversal in backup endpoints. Authenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow reading and executing files previously added through the backup functionality. Critically, due to CVE-2026-40543 (Missing Authorization), any backup file can be read by any (unauthorized) user. This issue affects SOPlanning version 1.55 and below.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-40547
EUVD
EUVD-2026-33613
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
soplanning soplanning to 1.55 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in SOPlanning allows unauthorized users to read backup files due to missing authorization and path traversal issues. This unauthorized access to potentially sensitive data can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and protected health information.

Specifically, the ability for any unauthorized user to read backup files may result in exposure of confidential information, undermining compliance with confidentiality, integrity, and access control requirements mandated by these standards.

Executive Summary

The vulnerability in SOPlanning involves a Path Traversal issue in its backup endpoints. An authenticated remote attacker can exploit this vulnerability by crafting payloads that allow them to read and execute files that were previously added through the backup functionality.

Additionally, due to a related vulnerability (CVE-2026-40543) involving missing authorization, any backup file can be read by any unauthorized user, increasing the risk of unauthorized data access.

This affects SOPlanning version 1.55 and below.

Impact Analysis

This vulnerability can lead to unauthorized reading and execution of files within the SOPlanning system, potentially exposing sensitive data or allowing malicious code execution.

Because of the missing authorization issue, even unauthorized users can access backup files, which increases the risk of data breaches.

Overall, this can compromise the confidentiality and integrity of the system and its data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40547. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart