VYPR

Plane

by Plane

pypi: plane

Source repositories

CVEs (21)

  • CVE-2025-50251CriAug 13, 2025
    risk 0.59cvss 9.1epss 0.00

    Server side request forgery (SSRF) vulnerability in makeplane plane 0.23.1 via the password recovery.

  • CVE-2025-62716HigOct 24, 2025
    risk 0.53cvss 8.1epss 0.00

    Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This results in a cross-site…

  • CVE-2024-31461CriApr 10, 2024
    risk 0.52cvss 9.1epss 0.01

    Plane, an open-source project management tool, has a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 0.17-dev. This issue may allow an attacker to send arbitrary requests from the server hosting the application, potentially leading to unauthorized access to…

  • CVE-2026-46558HigJun 10, 2026
    risk 0.47cvss 8.3epss 0.00

    Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1.

  • CVE-2026-39843HigApr 9, 2026
    risk 0.43cvss 7.7epss 0.00

    Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a…

  • CVE-2026-40102MedMay 20, 2026
    risk 0.35cvss 6.5epss 0.00

    Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without validation (unlike the regular AnalyticsEndpoint, which checks against an…

  • CVE-2026-39374MedApr 7, 2026
    risk 0.35cvss 6.5epss 0.00

    Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY issue across the entire Plane instance, regardless of workspace or project membership.…

  • CVE-2025-55203MedAug 15, 2025
    risk 0.28cvss 5.4epss 0.00

    Plane is open-source project management software. Prior to version 0.28.0, a stored cross-site scripting (XSS) vulnerability exists in the description_html field of Plane. This flaw allows an attacker to inject malicious JavaScript code that is stored and later executed in other…

  • CVE-2026-27949LowApr 7, 2026
    risk 0.06cvss 2.0epss 0.00

    Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted).…

  • CVE-2026-10850Jun 17, 2026
    risk 0.00cvss epss 0.00

    Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.

  • CVE-2026-30242Mar 6, 2026
    risk 0.00cvss epss 0.00

    Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses…

  • CVE-2026-30244Mar 6, 2026
    risk 0.00cvss epss 0.00

    Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST…

  • CVE-2026-27706Feb 25, 2026
    risk 0.00cvss epss 0.00

    Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSRF) vulnerability has been identified in the "Add Link" feature. This flaw allows an authenticated attacker with general user privileges to send arbitrary GET…

  • CVE-2026-27705Feb 25, 2026
    risk 0.00cvss epss 0.00

    Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in `apps/api/plane/app/views/asset/v2.py` (lines 579–593) performs a global asset lookup using only the asset ID (`pk`) via `FileAsset.objects.get(id=pk)`,…

  • CVE-2025-69284Jan 2, 2026
    risk 0.00cvss epss 0.00

    Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able…

  • CVE-2025-48070May 21, 2025
    risk 0.00cvss epss 0.00

    Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such…

  • CVE-2025-21616Jan 6, 2025
    risk 0.00cvss epss 0.00

    Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets…

  • CVE-2024-47830Oct 11, 2024
    risk 0.00cvss epss 0.01

    Plane is an open-source project management tool. Plane uses the ** wildcard support to retrieve the image from any hostname as in /web/next.config.js. This may permit an attacker to induce the server side into performing requests to unintended locations. This vulnerability is…

  • CVE-2023-30791Jul 15, 2023
    risk 0.00cvss epss 0.00

    Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.

  • CVE-2023-2268Jul 15, 2023
    risk 0.00cvss epss 0.01

    Plane version 0.7.1 allows an unauthenticated attacker to view all stored server files of all users.

Page 1 of 2