Łukasz Jaworski

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions prior to 1.56 **Description** Cross-Site Request Forgery (CSRF) exists in the 'groupe save' create, modify, and delete endpoints. This allows an attacker to craft a malicious website that, when visited by an authenticated user, automatically sends a forged GET or POST request to the application. **Recommendations** Update to a version later than 1.55.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions prior to 1.56 **Description** Lack of authorization enforcement for backup functionalities allows an unauthenticated attacker to query backup-related endpoints. This can lead to the retrieval of backup archives containing user databases with usernames and password hashes, as well as the `config.csv` file containing sensitive information. **Recommendations** Update to a version later than 1.55.

SOPlanning does not verify uploaded file extension. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file, which is extracted on the server. When combined with CVE-2026-40547 (Path Traversal), the malicious file (e.g., a PHP script) can be placed in a web-accessible location and executed via the browser. This issue affects SOPlanning version 1.55 and below.

SOPlanning is vulnerable to Path Traversal in backup endpoints. Authenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow reading and executing files previously added through the backup functionality. Critically, due to CVE-2026-40543 (Missing Authorization), any backup file can be read by any (unauthorized) user. This issue affects SOPlanning version 1.55 and below.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions prior to 1.56 **Description** SQL Injection allows an attacker with low privileges to inject arbitrary SQL commands, which could lead to full control over the database. **Recommendations** Update to a version newer than 1.55.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions prior to 1.56 **Description** Reflected Cross-Site Scripting (XSS) occurs when an application includes untrusted data in a web page without proper validation or escaping. An attacker can craft a malicious URL containing the `taches` parameter which, when opened by an authenticated victim, results in arbitrary JavaScript execution in the victim’s browser. **Recommendations** Update to a version later than 1.55. As a temporary workaround, avoid using the `taches` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions prior to 1.56 **Description** Stored Cross-Site Scripting (XSS) occurs via the '/process/upload backup' endpoint. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a malicious `user.csv` file with embedded JavaScript. The injected code executes in the victim's browser when the Edit button for the malicious backup is clicked. **Recommendations** Update to a version later than 1.55. Restrict access to the '/process/upload backup' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PDF Export Module versions prior to 0.7.6 **Description** The PDF Export Module used in DHTMLX Gantt and Scheduler allows unauthenticated remote code execution. The issue stems from insufficient sanitization of the `data` parameter. An attacker can inject malicious JavaScript code into this parameter, which is then processed and executed by Node.js, potentially leading to full server compromise. **Recommendations** Update to version 0.7.6. As a temporary workaround, restrict access to the `data` parameter within the PDF Export Module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PDF Export Module versions prior to 0.7.6 **Description** The PDF Export Module used in DHTMLX Gantt and Scheduler contains a path traversal flaw resulting from insufficient HTML sanitization. This allows an unauthenticated user to create a malicious HTML payload that includes local server files, which are then displayed within the generated PDF document. **Recommendations** Update to version 0.7.6.

**Name of the Vulnerable Software and Affected Versions** DHTMLX Diagram versions prior to 1.1.1 **Description** The export module is susceptible to Path Traversal in the `src` attribute because of insufficient HTML sanitization. An unauthenticated attacker can craft a malicious HTML payload to read arbitrary local files from the server and include their content in the generated PDF. **Recommendations** Update to version 1.1.1.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions prior to 1.55 **Description** SOPlanning is susceptible to a Broken Access Control issue in the `/status` endpoint. Insufficient permission checks within the Project Status functionality allow an authenticated attacker to modify any status by adding, editing, or deleting entries. The vulnerable parameter is not specified. **Recommendations** Update to version 1.55 or later.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions prior to 1.55 **Description** SOPlanning is susceptible to a Stored Cross-Site Scripting (XSS) issue within the `/feries` endpoint. A malicious actor with access to the public holidays feature can inject arbitrary HTML and JavaScript code into the website. This injected code will be rendered and executed when various pages are accessed. By default, access to this endpoint is limited to administrators and users with specific privileges. **Recommendations** Update to version 1.55 or later.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions prior to 1.55 **Description** SOPlanning is susceptible to a Stored Cross-Site Scripting (XSS) issue within the `/status` endpoint. An attacker possessing an account can inject arbitrary HTML and JavaScript code into the website. This injected code will be rendered and executed when other users access various pages. **Recommendations** Update SOPlanning to version 1.55 or later.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions prior to 1.55 **Description** SOPlanning is susceptible to a Stored Cross-Site Scripting (XSS) issue in the `/projets` API endpoint. An attacker with medium privileges can inject arbitrary HTML and JavaScript code into the website. This injected code will be rendered and executed when an edited page is opened. **Recommendations** Update SOPlanning to version 1.55 or later.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions prior to 1.55 **Description** SOPlanning is susceptible to a Stored Cross-Site Scripting (XSS) issue within the `/taches` endpoint. An attacker with medium privileges can inject arbitrary HTML and JavaScript code into the website. This injected code will be rendered and executed when the editor is opened. **Recommendations** Update SOPlanning to version 1.55 or later.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions prior to 1.55 **Description** SOPlanning is susceptible to a Stored Cross-Site Scripting (XSS) issue in the `/groupe form` endpoint. An attacker with medium privileges can inject arbitrary HTML and JavaScript code into the website. This injected code will be rendered and executed when the editor is opened. **Recommendations** Update to version 1.55 or later.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions prior to 1.55 **Description** SOPlanning is susceptible to a weakness in its password recovery token generation process. The use of a weak mechanism for generating these tokens allows a malicious actor to potentially brute-force all possible values, leading to account takeover. **Recommendations** Update to version 1.55 or later.