CVE-2026-27949

| EUVD-2026-19935 LOW
2026-04-07 [email protected]
2.0
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 07, 2026 - 21:22 vuln.today
EUVD ID Assigned
Apr 07, 2026 - 21:22 euvd
EUVD-2026-19935
CVE Published
Apr 07, 2026 - 21:17 nvd
LOW 2.0

Tags

Information Disclosure

Description

Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice. The affected code path is located in the authentication utility module (packages/utils/src/auth.ts). This vulnerability is fixed in 1.3.0.

Analysis

Plane project management tool versions prior to 1.3.0 leak user email addresses in authentication error URLs, transmitting personally identifiable information via unencrypted GET query parameters. The vulnerability requires high-privilege access and user interaction to trigger, exposing email disclosure with low confidentiality impact and no integrity or availability consequences. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

10
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +10
POC: 0

Share

CVE-2026-27949 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy