| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-39843 | Plane has a Server-Side Request Forgery (SSRF) in Favicon Fetching | makeplane | plane | High | 7.7 | 2026-04-09 15:43:35 | Deep Dive |
| CVE-2026-27949 | Plane Exposes User Email (PII and part of credential) in GET Parameter | makeplane | plane | Low | 2.0 | 2026-04-07 20:26:26 | Deep Dive |
| CVE-2026-39374 | Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint | makeplane | plane | Medium | 6.5 | 2026-04-07 19:37:32 | Deep Dive |
| CVE-2026-30242 | Plane: SSRF via Incomplete IP Validation in Webhook URL Serializer | makeplane | plane | High | 8.5 | 2026-03-06 21:19:24 | Deep Dive |
| CVE-2026-30244 | Plane: Unauthenticated Workspace Member Information Disclosure | makeplane | plane | High | 7.5 | 2026-03-06 21:19:13 | Deep Dive |
| CVE-2026-27706 | Plane Vulnerable to Full Read SSRF via Favicon Fetching in "Add Link" Feature | makeplane | plane | High | 7.7 | 2026-02-25 15:56:11 | Deep Dive |
| CVE-2026-27705 | Plane Vulnerable to Cross-Workspace/Cross-Project Asset Modification via IDOR in ProjectAssetEndpoint.patch | makeplane | plane | - | - | 2026-02-25 15:51:47 | Deep Dive |
| CVE-2025-13590 | Authenticated arbitrary file upload via a System REST API requiring administrator permission. | WSO2 | WSO2 API Manager | Critical | 9.1 | 2026-02-19 10:05:06 | Deep Dive |
| CVE-2025-69284 | In plane.io, a Guest User to a Workspace can still be able to see list of members | makeplane | plane | Medium | 4.3 | 2026-01-02 15:42:06 | Deep Dive |
| CVE-2025-9312 | Improper Certificate-Based Authentication Enforcement in Multiple WSO2 Products | WSO2 | WSO2 API Manager | Critical | 9.8 | 2025-11-18 12:05:22 | Deep Dive |
| CVE-2025-6670 | Cross-Site Request Forgery (CSRF) in Multiple WSO2 Products via HTTP GET in Admin Services | WSO2 | WSO2 Open Banking AM | High | 8.8 | 2025-11-18 11:28:37 | Deep Dive |
| CVE-2025-10853 | Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding | WSO2 | WSO2 Open Banking IAM | Medium | 5.2 | 2025-11-05 19:21:33 | Deep Dive |
| CVE-2025-5770 | Reflected Cross-Site Scripting (XSS) in Authentication Endpoints of Multiple WSO2 Products | WSO2 | WSO2 Identity Server | Medium | 6.1 | 2025-11-05 19:02:48 | Deep Dive |
| CVE-2025-11093 | Arbitrary Code Execution with higher privileged users in Multiple WSO2 Products via Script Mediator Engines (GraalJS and NashornJS) | WSO2 | WSO2 Micro Integrator | High | 8.4 | 2025-11-05 18:31:18 | Deep Dive |
| CVE-2025-10907 | Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution | WSO2 | WSO2 API Manager | High | 8.4 | 2025-11-05 18:03:50 | Deep Dive |
| CVE-2025-10713 | XML External Entity (XXE) Vulnerability in Multiple WSO2 Products Due to Improper XML Parser Configuration | WSO2 | WSO2 Enterprise Integrator | Medium | 6.5 | 2025-11-05 17:18:25 | Deep Dive |
| CVE-2025-3125 | Authenticated Arbitrary File Upload in Multiple WSO2 Products via CarbonAppUploader Admin Service Leading to Remote Code Execution | WSO2 | WSO2 Identity Server | Medium | 6.7 | 2025-11-05 14:49:45 | Deep Dive |
| CVE-2025-62716 | Plane Vulnerable to Cross-Site Scripting via Open Redirect in ?next_path Parameter | makeplane | plane | High | 8.1 | 2025-10-24 20:06:18 | Deep Dive |
| CVE-2025-5605 | Authentication Bypass via URI Manipulation in Multiple WSO2 Products' Management Console Leading to Partial Information Disclosure | WSO2 | WSO2 Identity Server | Medium | 4.3 | 2025-10-24 10:10:00 | Deep Dive |
| CVE-2025-5350 | SSRF and Reflected XSS Vulnerability in Deprecated Try-It Feature of Multiple WSO2 Products | WSO2 | WSO2 Identity Server | Medium | 5.9 | 2025-10-24 10:08:08 | Deep Dive |