CVE-2026-40547

EUVD-2026-33613
SOPlanning is vulnerable to Path Traversal in backup endpoints.  Authenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow reading and executing files previously added through the backup functionality. Critically, due to CVE-2026-40543 (Missing Authorization), any backup file can be read by any (unauthorized) user.

This issue affects SOPlanning version 1.55 and below.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
CERT-PLCNA
6.4 MEDIUM
NETWORK
LOW
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
soplanningsoplanning
𝑥
≤ 1.55
CNA
Common Weakness Enumeration
References
https://cert.pl/en/posts/2026/06/CVE-2026-40543
https://www.soplanning.org/en/