Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

plane — Vulnerabilities & Security Advisories 19

All 19 CVE vulnerabilities found in plane, with AI-generated Chinese analysis, references, and POCs.

This page details the Common Weakness Enumerations associated with Plane, an open-source project management tool designed for agile teams. The collection aggregates security vulnerabilities affecting this specific product, covering advisories issued between early 2023 and late 2024. By browsing this repository, users can track vendor-specific security advisories, understand the technical implications of recurring weakness classes within the Plane codebase, and examine the historical vulnerability landscape for this application. The entries are curated to provide a clear view of how common defect patterns manifest in this software ecosystem, allowing developers and security analysts to identify trends and prioritize remediation efforts. This resource serves as a centralized reference point for understanding the security posture of Plane over time, without requiring manual searches across disparate vendor notification channels. Readers will find structured data that links general weakness types to concrete instances within the product, facilitating better risk assessment and more informed decision-making regarding software updates and patches. The information is presented in a neutral format to support technical analysis and compliance auditing processes. This aggregation helps stakeholders maintain awareness of known defects and ensures that security teams can efficiently monitor the evolution of threats targeting this specific management platform.

Vendor: Plane

CVE IDTitleCVSSSeverityPublished
CVE-2026-10850 Plane 1.3.1 - Stored XSS in intake issue description_html CWE-79--2026-06-17
CVE-2026-46558 Plane: Cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces CWE-639 8.3 High2026-06-10
CVE-2026-40102 Plane: ORM Field Reference Injection via `segment` Parameter in Saved Analytics CWE-943 6.5 Medium2026-05-20
CVE-2026-39843 Plane has a Server-Side Request Forgery (SSRF) in Favicon Fetching CWE-918 7.7 High2026-04-09
CVE-2026-27949 Plane Exposes User Email (PII and part of credential) in GET Parameter CWE-200 2.0 Low2026-04-07
CVE-2026-39374 Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint CWE-639 6.5 Medium2026-04-07
CVE-2026-30242 Plane: SSRF via Incomplete IP Validation in Webhook URL Serializer CWE-918 8.5 High2026-03-06
CVE-2026-30244 Plane: Unauthenticated Workspace Member Information Disclosure CWE-284 7.5 High2026-03-06
CVE-2026-27706 Plane Vulnerable to Full Read SSRF via Favicon Fetching in "Add Link" Feature CWE-918 7.7 High2026-02-25
CVE-2026-27705 Plane Vulnerable to Cross-Workspace/Cross-Project Asset Modification via IDOR in ProjectAssetEndpoint.patch CWE-639 6.5AIMediumAI2026-02-25
CVE-2025-69284 In plane.io, a Guest User to a Workspace can still be able to see list of members CWE-284 4.3 Medium2026-01-02
CVE-2025-62716 Plane Vulnerable to Cross-Site Scripting via Open Redirect in ?next_path Parameter CWE-79 8.1 High2025-10-24
CVE-2025-55203 Plane Stored XSS in Add Work Item Functionality CWE-79 5.4 Medium2025-08-15
CVE-2025-48070 Plane has insecure permissions in UserSerializer CWE-276 3.5 Low2025-05-21
CVE-2025-21616 Plane has a Cross-site scripting (XSS) via SVG image upload CWE-79 5.4 Medium2025-01-06
CVE-2024-47830 Plane allows server side request forgery via /_next/image endpoint CWE-918 9.3 Critical2024-10-11
CVE-2024-31461 Plane Server-Side Request Forgery (SSRF) Vulnerability CWE-918 9.1 Critical2024-04-10
CVE-2023-30791 Plane 0.7.1 - Insecure file upload CWE-434 7.1 High2023-07-15
CVE-2023-2268 Plane v0.7.1 - Unauthorized access to files CWE-862 7.1 High2023-07-15

All 19 known CVE vulnerabilities affecting plane with full Chinese analysis, references, and POCs where available.