Stored XSS Vulnerability in SOPlanning by Open-Source Developer
CVE-2026-40544

5.1MEDIUM

Key Information:

Vendor: Soplanning
Status: Soplanning
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-40544?

SOPlanning is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability through the /process/upload_backup endpoint. An authenticated user with backup functionality access can upload a specially crafted ZIP file containing a malicious user.csv file. This file, when executed, injects JavaScript code that runs in the browser of any victim who interacts with the malicious backup by clicking the Edit button. This risk primarily impacts SOPlanning version 1.55 and any earlier versions.

Affected Version(s)

SOPlanning 0 <= 1.55

References

https://cert.pl/en/posts/2026/06/CVE-2026-40543

third-party-advisory

https://www.soplanning.org/en/

product

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Łukasz Jaworski

CVE-2026-40544 Data

JSON

Soplanning

What is CVE-2026-40544?

Affected Version(s)

References

CVSS V4

Timeline

Credit