What is the CVSS score of EUVD-2026-20940?

EUVD-2026-20940 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Plane are affected by EUVD-2026-20940?

Makeplane Plane versions 0.28.0 through 1.2.x contain a Server-Side Request Forgery vulnerability that allows authenticated users to access internal network resources by exploiting the favicon fetch…. A patch is available.

How to fix or mitigate EUVD-2026-20940?

Within 24 hours: inventory all Makeplane Plane instances and document current versions. Within 7 days: upgrade all affected instances (0.28.0 to 1.2.x) to version 1.3.0 or later per vendor advisory. Within 30 days: audit authentication logs for the favicon endpoint (/api/v1/workspaces/*/fetch-favicon or similar) to detect suspicious activity targeting internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

Plane EUVD-2026-20940

| CVE-2026-39843 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-09 GitHub_M

SSRF Plane

7.7

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.7 HIGH

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 17, 2026 - 20:22 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 06:00 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.3.0

EUVD ID Assigned

Apr 09, 2026 - 16:00 euvd

EUVD-2026-20940

Analysis Generated

Apr 09, 2026 - 16:00 vuln.today

CVE Published

Apr 09, 2026 - 15:43 nvd

HIGH 7.7

DescriptionGitHub Advisory

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address is supplied to Add link by an authenticated attacker with low privileges. Redirects for the main page URL are validated, but not the favicon fetch path. fetch_and_encode_favicon() still uses requests.get(favicon_url, ...) with the default redirect-following. This vulnerability is fixed in 1.3.0.

AnalysisAI

Server-Side Request Forgery (SSRF) in Makeplane Plane (versions 0.28.0 to before 1.3.0) allows authenticated attackers with low privileges to perform full-read SSRF attacks against internal network resources. The vulnerability exists because incomplete remediation of a previous SSRF issue (GHSA-jcc6-f9v6-f7jw) left the favicon fetch path vulnerable to redirect-based attacks. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticated attacker creates HTML page with link tag

Delivery

Href redirects to private IP address

Exploit

Plane fetches favicon URL with redirect following

Execution

SSRF accesses internal resources

Impact

Sensitive data read from private network

Access

Authenticated attacker creates HTML page with link tag

Delivery

Href redirects to private IP address

Exploit

Plane fetches favicon URL with redirect following

Execution

SSRF accesses internal resources

Impact

Sensitive data read from private network

Vulnerability AssessmentAI

Exploitation	Plane versions 0.28.0 to 1.2.x running default configurations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.7 reflects high-impact confidentiality breach via SSRF affecting multiple systems (S:C). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Authenticated attacker creates HTML link with favicon URL redirecting to private IP (e.g., 169.254.169.254 metadata service). Plane's fetch_and_encode_favicon() follows redirect without validation, retrieving sensitive data. …
Remediation	Vendor-released patch: Upgrade to Makeplane Plane version 1.3.0 or later, which implements complete redirect validation for favicon fetch operations. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Makeplane Plane instances and document current versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10850 MEDIUM This Month

6.9 Jun 17

Stored cross-site scripting in Plane CE 1.3.1 allows an authenticated low-privileged project member to inject arbitrary

EUVD-2026-20940 vulnerability details – vuln.today

Back

Plane EUVD-2026-20940

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code