PT-2026-45361 · Soplanning · Soplanning
Łukasz Jaworski
·
Published
2026-06-01
·
Updated
2026-06-01
·
CVE-2026-40548
CVSS v4.0
6.4
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H |
SOPlanning does not verify uploaded file extension. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file, which is extracted on the server. When combined with CVE-2026-40547 (Path Traversal), the malicious file (e.g., a PHP script) can be placed in a web-accessible location and executed via the browser.
This issue affects SOPlanning version 1.55 and below.
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Soplanning