CVE-2026-40548

Vulnerability

SOPlanning does not verify the file extension of uploaded files during the backup restore process. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file (e.g., a PHP script). The ZIP is extracted on the server. When combined with the path traversal vulnerability CVE-2026-40547, the malicious file can be written to a web-accessible directory. This issue affects SOPlanning version 1.55 and below [1].

Exploitation

The attacker must have authenticated access to the backup feature. The attack involves creating a ZIP archive that includes a legitimate user.csv file and a malicious PHP script. Using a directory traversal pattern in the filename of the malicious file (e.g., ../../../webroot/malicious.php), the attacker uploads the ZIP via the backup restore interface. The server extracts the archive, placing the PHP script in a web-accessible location due to the path traversal [1].

Impact

By accessing the uploaded PHP script via a browser, the attacker achieves arbitrary code execution on the server. This can lead to full compromise of the SOPlanning installation, including data theft, modification, or further exploitation of the underlying system [1].

Mitigation

As of the publication date, no official fix or workaround has been disclosed in the available references. Affected versions include SOPlanning up to 1.55. Users are advised to monitor the vendor's website for patches and restrict access to the backup functionality to trusted administrators only. CVE-2026-40548 is not listed in the Known Exploited Vulnerabilities (KEV) catalog [1].