CVE-2026-40548EPSS p22.5%

CVE-2026-40548CVE-2026-40548

Description

SOPlanning does not verify uploaded file extension. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file, which is extracted on the server. When combined with CVE-2026-40547 (Path Traversal), the malicious file (e.g., a PHP script) can be placed in a web-accessible location and executed via the browser. This issue affects SOPlanning version 1.55 and below.

Scoring

EPSS0.31% probability of exploitation · percentile 22.5% · 2026-06-18T12:00:27Z
Last modified2026-06-01

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40547
CVE
CVE-2026-40544
CVE
CVE-2026-40543
CVE
CVE-2026-40546
CVE
CVE-2026-40549
CVE
CVE-2026-40545
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.