CVE-2026-40543

EUVD-2026-33609
SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which includes additional sensitive information.

This issue affects SOPlanning version 1.55 and below.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
CERT-PLCNA
8.8 HIGH
NETWORK
LOW
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
soplanningsoplanning
𝑥
≤ 1.55
CNA
Common Weakness Enumeration
References
https://cert.pl/en/posts/2026/06/CVE-2026-40543
https://www.soplanning.org/en/