Medium severityNVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026
CVE-2026-40544
CVE-2026-40544
Description
SOPlanning is vulnerable to Stored Cross-Site Scripting (XSS) via /process/upload_backup endpoint. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code is executed in the victim’s browser when a user clicks the Edit button for the malicious backup.
This issue affects SOPlanning version 1.55 and below.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=1.55+ 1 more
- (no CPE)range: <=1.55
- (no CPE)range: <=1.55
Patches
Vulnerability mechanics
References
2News mentions
1- Soplanning: Seven Vulnerabilities Disclosed, Including SQLi and Auth BypassVypr Intelligence · Jun 1, 2026