CVE-2026-40546

Vulnerability

SOPlanning through version 1.55 fails to properly neutralize input in multiple endpoints and parameters, leading to SQL injection [1]. This is a classic improper input validation vulnerability (CWE-89) where user-supplied data is concatenated into SQL queries without sanitization. The affected product is an online project management and shared planning tool [2]. All versions up to and including 1.55 are vulnerable.

Exploitation

An attacker with low privileges—such as a regular user account—can inject arbitrary SQL commands by sending crafted payloads to the vulnerable parameters across multiple endpoints [1]. No special network position beyond standard web access is required; the attacker simply needs to be an authenticated user. The exact injection points are not publicly detailed, but the advisory confirms the attack surface spans multiple endpoints.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands against the backend database [1]. This can lead to full read/write access to the database contents, including potentially all application data, user credentials, and configuration secrets. Depending on the database configuration and application architecture, this may further enable privilege escalation or lateral movement within the environment.

Mitigation

The vendor has not released a patched version as of the publication date [1]. The only mitigation available is to restrict network access to the SOPlanning instance and apply strict input validation via a web application firewall (WAF) or custom code changes. Users should monitor the vendor's website [2] for future updates. No CVE is listed in the CISA KEV catalog at this time.