Skip to main content

Plane CE CVE-2026-10850

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Fluid Attacks
XSS Plane
6.9
CVSS 4.0 · Vendor: Fluid Attacks
Share

Severity by source

Vendor (Fluid Attacks) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N
vuln.today AI
7.6 HIGH

Stored XSS crosses browser security boundary (S:C); session token theft justifies C:H; PR:L reflects mandatory project member authentication; UI:R for victim view.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Fluid Attacks).

CVSS VectorVendor: Fluid Attacks

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 15:41 vuln.today

DescriptionCVE.org

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.

AnalysisAI

Stored cross-site scripting in Plane CE 1.3.1 allows an authenticated low-privileged project member to inject arbitrary HTML and JavaScript via the description_html field through the API v1 intake endpoint, with payloads persisting in the database and executing in the browsers of any user who views the affected intake item. The CVSS 4.0 vector rates confidentiality impact on the vulnerable system as High (VC:H), reflecting the realistic threat of session token exfiltration from higher-privileged users such as project administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as low-privileged project member
Delivery
Craft intake work item with JS payload in description_html
Exploit
Submit via API v1 intake endpoint
Install
Payload persists in Plane database
C2
Privileged user passively views intake item
Execute
Injected script executes in victim browser
Impact
Session token exfiltrated to attacker
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid, authenticated low-privileged project member account on the target Plane CE 1.3.1 instance - unauthenticated exploitation is not possible per the PR:L CVSS metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N) scores 6.9 and reflects a network-reachable stored XSS requiring low privileges and passive victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privileged project member submits a POST request to the Plane API v1 intake endpoint, embedding a JavaScript payload such as a cookie-stealing script in the `description_html` field of a new intake work item. When a project administrator or lead opens the intake queue in their browser and views the item, the injected script executes silently in their authenticated session, exfiltrating their session token to an attacker-controlled server. …
Remediation No vendor-released patch version has been independently confirmed from the available data - the GitHub repository reference (https://github.com/makeplane/plane) does not point to a tagged patched release, and no fix version is stated in the advisory or NVD entry. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10850 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy