Arbitrary file upload in Soplanning

CVE-2026-40548

SOPlanning does not verify uploaded file extension. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file, which is extracted on…

Vulnerability class: Unrestricted File Upload

EPSS: 0.000 (11.9th percentile) — read the EPSS interpretation.

Affected products

Soplanning — versions 0

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

References

cvd@cert.pl (third-party-advisory)
cvd@cert.pl (product)