CVE-2026-40545

Vulnerability

SOPlanning versions 1.55 and below [1][2] contain a reflected cross-site scripting (XSS) vulnerability in the taches parameter. The application fails to properly neutralize user-supplied input during web page generation (CWE-79) [1], allowing arbitrary HTML and script injection when the parameter is reflected back into the response without sanitization.

Exploitation

An attacker can craft a malicious URL containing JavaScript payload in the taches parameter. The victim must be authenticated to the SOPlanning instance and click the crafted link (e.g., via phishing or social engineering). The injected script executes in the victim's browser session with the privileges of the SOPlanning application.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, sensitive information disclosure, defacement, or further actions within the context of the authenticated session, potentially compromising the confidentiality and integrity of the SOPlanning deployment.

Mitigation

As of the publication date (June 1, 2026), no patched version has been released. Users should restrict access to trusted authenticated users, implement web application firewall (WAF) rules to block malicious taches parameter values, and monitor for suspicious activity. SOPlanning versions 1.55 and earlier are affected [1]; upgrading to any future fixed version should be applied as soon as available.