CVE-2026-10850 Plane 1.3.1 - Stored XSS in intake issue description_html

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the descriptionhtml field when creating an intake work item through the API v1 intake endpoint...

CVE-2026-10850

CVE-2026-10850 affects Plane CE 1.3.1. A low-privileged project member can submit arbitrary HTML/JS in the description_html field when creating an intake work item via the API v1 intake endpoint, enabling stored XSS. The description_html field is the vector; no exploit details or affected version...