CVE-2026-40544

UNKNOWN 0.0

Stored XSS in SOPlanning

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

15th

SOPlanning is vulnerable to Stored Cross-Site Scripting (XSS) via /process/upload_backup endpoint. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code is executed in the victim’s browser when a user clicks the Edit button for the malicious backup. This issue affects SOPlanning version 1.55 and below.

CWE	CWE-79
Vendor	soplanning
Product	soplanning
Published	Jun 1, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for soplanning soplanning

Be the first to know when new unknown vulnerabilities affecting soplanning soplanning are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

SOPlanning / SOPlanning

0 ≤ 1.55

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cert.pl: https://cert.pl/en/posts/2026/06/CVE-2026-40543 soplanning.org: https://www.soplanning.org/en/

Credits

Łukasz Jaworski