CVE-2026-40549

SOPlanning is vulnerable to Cross‑Site Request Forgery CSRF in groupesave create, modify and delete endpoints. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged GET or POST request to the application. This issue affects SOPlanning...

EUVD-2026-33614

SOPlanning does not verify uploaded file extension. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file, which is extracted on the server. When combined with CVE-2026-40547 Path...

CVE-2026-40544 Stored XSS in SOPlanning

SOPlanning is vulnerable to Stored Cross-Site Scripting XSS via /process/uploadbackup endpoint. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code is executed in the...

CVE-2026-40543 Missing Authorization in SOPlanning

SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which includes additional...

SOPlanning security vulnerabilities

SOPlanning is a set of online project management software developed by SOPlanning Company. Versions of SOPlanning 1.55 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the lack of authorization for the backup function, which could allow unauthorized attackers to...

SOPlanning path traversal vulnerability

SOPlanning is a set of online project management software developed by SOPlanning Company. Versions of SOPlanning 1.55 and earlier contained a path traversal vulnerability. This vulnerability stemmed from the backup endpoints being susceptible to path traversal attacks, allowing authenticated...

SOPlanning Cross-Site Scripting Vulnerabilities

SOPlanning is a set of online project management software developed by SOPlanning Company. Versions of SOPlanning 1.55 and earlier had a cross-site scripting vulnerability. This vulnerability stemmed from the taches parameter, which was vulnerable to reflection-type cross-site scripting attacks...

PT-2023-10014 · Unknown · Exit Strategy Plugin

Name of the Vulnerable Software and Affected Versions: Exit Strategy Plugin versions 1.55 through 1.58 Description: A vulnerability was found in the Exit Strategy Plugin and classified as problematic. The issue affects the exitpageadmin function of the file exitpage.php. This manipulation leads t...

Unspecified Vulnerability in Bouncy Castle JCE Provider

Bouncy Castle JCE Provider is a Java-based encryption package. A security vulnerability exists in the square implementation of Bouncy Castle JCE Provider versions 1.51 through 1.55. A detailed description of the vulnerability is not available at this time...