Description
Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.
Published: 2026-06-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Plane CE 1.3.1 the description_html field of intake work items can be populated with arbitrary HTML or JavaScript when the item is created via the API v1 intake endpoint. Because the payload is stored and rendered without proper escaping, a low-privileged project member can embed malicious code that will execute in the browsers of any user who later opens the work item, potentially leading to session hijacking, credential theft, or phishing attacks. The weakness corresponds to CWE-79.

Affected Systems

Plane CE 1.3.1 on Linux, macOS and Windows is affected; the vulnerability exists only in that release according to the available data.

Risk and Exploitability

The CVSS score of 6.9 signifies moderate severity while the EPSS score, being less than 1% at the time of analysis, indicates a very low probability of exploitation. The flaw is not listed in CISA’s KEV catalog. Although the attacker only needs a project-member role, the stored nature of the XSS means any user who views the compromised item is at risk, making the attack path straightforward but limited in scale.

Generated by OpenCVE AI on June 18, 2026 at 18:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Plane CE patch that eliminates the flaw in description_html handling
  • Sanitize or properly escape user-supplied description_html content on the server before storing or rendering
  • Restrict or audit the capability to create intake work items so that only higher-privileged users can submit content

Generated by OpenCVE AI on June 18, 2026 at 18:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.
Title Plane 1.3.1 - Stored XSS in intake issue description_html
First Time appeared Plane
Plane plane
Weaknesses CWE-79
CPEs cpe:2.3:a:plane:plane:1.3.1:*:linux:*:*:*:*:*
cpe:2.3:a:plane:plane:1.3.1:*:macos:*:*:*:*:*
cpe:2.3:a:plane:plane:1.3.1:*:windows:*:*:*:*:*
Vendors & Products Plane
Plane plane
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-17T15:39:40.388Z

Reserved: 2026-06-04T12:27:47.258Z

Link: CVE-2026-10850

cve-icon Vulnrichment

Updated: 2026-06-17T15:39:32.385Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:00:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')