CVE-2026-40544

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in SOPlanning versions 1.55 and below via the /process/upload_backup endpoint. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code is executed in the victim’s browser when a user clicks the Edit button for the malicious backup. The product is an online project management and planning tool [2].

Exploitation

To exploit the vulnerability, an attacker must be authenticated and have access to the backup upload functionality. The attacker crafts a ZIP archive that includes a user.csv file with malicious JavaScript code embedded in one of the fields. After uploading the archive via the backup endpoint, the malicious data is stored. When another user (or the same attacker) navigates to the backup list and clicks the Edit button for that specific backup, the injected script executes in the context of the victim's session [1].

Impact

Successful exploitation results in stored cross-site scripting, allowing the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, or other actions that the victim user can perform within the application, potentially compromising data confidentiality and integrity [1].

Mitigation

As of the publication date (2026-06-01), no fixed version is mentioned in the available references. Users should restrict access to the backup functionality to trusted administrators only, monitor for suspicious backup uploads, and apply strict input validation on CSV data in backups. CERT Polska reported the vulnerability, and users are advised to watch for an official patch from SOPlanning [1].