Soplanning: Seven Vulnerabilities Disclosed, Including SQLi and Auth Bypass
Seven vulnerabilities were disclosed for Soplanning version 1.55 and below on June 1, 2026, including critical SQL injection and authorization bypass flaws.
Key findings
- Seven vulnerabilities disclosed for Soplanning v1.55 and below on June 1, 2026.
- Critical SQL injection (CVE-2026-40546) allows full database control.
- High-severity authorization bypass (CVE-2026-40543) exposes user databases.
- Path traversal (CVE-2026-40547) combined with backup flaws allows file reading/execution.
- Multiple XSS and CSRF vulnerabilities also disclosed, impacting authenticated users.
On June 1, 2026, a batch of seven vulnerabilities affecting Soplanning version 1.55 and earlier was disclosed, presenting a significant risk to users of the project management software. The disclosures include critical flaws such as SQL injection and missing authorization, alongside medium-severity issues like Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS).
The most severe issues include CVE-2026-40546, a high-severity SQL Injection vulnerability that allows low-privileged attackers to inject arbitrary SQL commands, potentially leading to full database control. Another high-severity flaw, CVE-2026-40543, involves a critical lack of authorization for backup functionalities. This allows unauthenticated attackers to access and retrieve sensitive data, including user databases with password hashes and configuration files.
Further complicating the security posture, CVE-2026-40547, a Path Traversal vulnerability in backup endpoints, allows authenticated attackers to read and execute files previously added via the backup functionality. This is particularly dangerous when combined with CVE-2026-40543, as it bypasses authorization checks for backup archives. Additionally, CVE-2026-40548, an issue related to file extension verification during backup uploads, could allow attackers to upload malicious files when combined with other vulnerabilities.
Medium-severity vulnerabilities also add to the attack surface. CVE-2026-40549 details a Cross-Site Request Forgery (CSRF) flaw affecting create, modify, and delete operations for group endpoints. Attackers can exploit this by tricking authenticated users into visiting a malicious website. Similarly, CVE-2026-40545 is a Reflected XSS vulnerability via the 'taches' parameter, enabling arbitrary JavaScript execution in a victim's browser through crafted URLs. A Stored XSS vulnerability, CVE-2026-40544, exists in the upload_backup endpoint, where an attacker can upload a malicious ZIP archive containing JavaScript, which is then executed when the backup is processed.
All seven vulnerabilities were disclosed on the same day, indicating a coordinated disclosure event. The affected versions are explicitly stated as 1.55 and below for most of the vulnerabilities. While specific patch details were not provided in the initial disclosure, users are strongly advised to update to the latest available version as soon as possible to mitigate these risks. The combination of SQL injection, path traversal, and authorization bypass creates a potent attack vector that could lead to complete system compromise.
Given the severity of the disclosed flaws, particularly the SQL injection and unauthenticated access to sensitive data via backup functionalities, Soplanning users should prioritize patching. The lack of authorization for backup endpoints is especially concerning, as it could expose entire user databases to unauthorized parties without any prior authentication. This batch of vulnerabilities underscores the importance of regular security audits and timely updates for all software, especially those handling sensitive user data and system configurations.