SOPlanning Unrestricted File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

A vulnerability exists in SOPlanning versions through 1.55, allowing authenticated attackers with access to the backup functionality to upload ZIP archives containing malicious files. The application does not properly validate file extensions, enabling the inclusion of harmful files alongside legitimate ones, such as a user.csv file. Once uploaded, the malicious file can be extracted on the server. This vulnerability, when combined with a separate path traversal issue (CVE-2026-40547), could lead to the execution of the malicious file, such as a PHP script, from a web-accessible location.

Impact

Exploitation of this vulnerability could result in remote code execution on the server.

Added: Jun 1, 2026, 9:37 AM

Updated: Jun 1, 2026, 9:37 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

3.3

remediation

0.0

relevance

9.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

3.3

remediation

0.0

relevance

9.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SOPlanning Unrestricted File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Affected Products

SOPlanning

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating