Lucene search
K

28 matches found

NVD
NVD
added 2026/06/10 4:17 p.m.11 views

CVE-2026-46558

Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1...

8.3CVSS0.0028EPSS
Exploits3References2
Cvelist
Cvelist
added 2026/06/10 3:42 p.m.33 views

CVE-2026-46558 Plane: Cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces

Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1...

8.3CVSS0.0028EPSS
Exploits3References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:26 p.m.11 views

CVE-2026-39374

Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the startdate and targetdate of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...

7.7CVSS5.5AI score0.00208EPSS
Exploits1References1
NVD
NVD
added 2026/05/20 10:16 p.m.22 views

CVE-2026-40102

Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F expression without validation unlike the regular AnalyticsEndpoint, which checks against an allowlist, causing ORM Field...

6.5CVSS0.00295EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/04/14 1:22 a.m.7 views

CVE-2026-39843

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address ...

7.7CVSS5.9AI score0.00246EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/09 3:43 p.m.6 views

CVE-2026-39843

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address ...

7.7CVSS5.9AI score0.00246EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/04/09 3:43 p.m.5 views

EUVD-2026-20940

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address ...

7.7CVSS5.9AI score0.00246EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/07 8:26 p.m.21 views

CVE-2026-27949 Plane Exposes User Email (PII and part of credential) in GET Parameter

Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling e.g., when an invalid magic code is submitted. Transmitting personally...

2CVSS0.00168EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 8:26 p.m.5 views

CVE-2026-27949

Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling e.g., when an invalid magic code is submitted. Transmitting personally...

2CVSS6AI score0.00168EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/04/07 8:26 p.m.4 views

EUVD-2026-19935

Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling e.g., when an invalid magic code is submitted. Transmitting personally...

2CVSS6AI score0.00168EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/07 7:37 p.m.4 views

CVE-2026-39374 Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint

Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the startdate and targetdate of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...

6.5CVSS5.9AI score0.00208EPSS
Exploits1References1
CVE
CVE
added 2026/04/07 7:37 p.m.20 views

CVE-2026-39374

The CVE describes an IDOR-style flaw in Plane (open‑source project management tool) prior to version 1.3.0. The IssueBulkUpdateDateEndpoint lets a project member with ADMIN/MEMBER privileges modify start_date and target_date of ANY issue across the entire instance by fetching issues by ID without...

7.7CVSS5.9AI score0.00208EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.8 views

PT-2026-31015

Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling e.g., when an invalid magic code is submitted. Transmitting personally...

2CVSS6AI score0.00168EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/03/08 1:44 a.m.7 views

CVE-2026-30242

Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.isloopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses 10.x.x.x, 172.16.x.x...

8.5CVSS5.8AI score0.00284EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/26 10:34 p.m.8 views

CVE-2026-27706

Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery SSRF vulnerability has been identified in the "Add Link" feature. This flaw allows an authenticated attacker with general user privileges to send arbitrary GET requests to the...

7.7CVSS5.6AI score0.00213EPSS
Exploits0References1
NVD
NVD
added 2026/02/25 5:25 p.m.9 views

CVE-2026-27705

Plane is an an open-source project management tool. Prior to version 1.2.2, the ProjectAssetEndpoint.patch method in apps/api/plane/app/views/asset/v2.py lines 579–593 performs a global asset lookup using only the asset ID pk via FileAsset.objects.getid=pk, without verifying that the asset belong...

7.1CVSS0.00213EPSS
Exploits0References3
NVD
NVD
added 2026/01/02 4:17 p.m.6 views

CVE-2025-69284

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https://app.plane.so/:slug/settings. Prior to Plane version 1.2.0, a problem occurs when the /api/workspaces/:slug/members/ is accessible by guest and able to list of users on a...

4.3CVSS0.00162EPSS
Exploits0References1
EUVD
EUVD
added 2026/01/02 3:42 p.m.6 views

EUVD-2025-206228

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https://app.plane.so/:slug/settings. Prior to Plane version 1.2.0, a problem occurs when the /api/workspaces/:slug/members/ is accessible by guest and able to list of users on a...

4.3CVSS6.2AI score0.00162EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/01/02 3:42 p.m.23 views

CVE-2025-69284 In plane.io, a Guest User to a Workspace can still be able to see list of members

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https://app.plane.so/:slug/settings. Prior to Plane version 1.2.0, a problem occurs when the /api/workspaces/:slug/members/ is accessible by guest and able to list of users on a...

4.3CVSS0.00162EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/01/02 12:0 a.m.6 views

PT-2026-1101

Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.2.0 Description Plane is an open-source project management tool. A guest user, lacking the necessary permissions, could access the /api/workspaces/:slug/members/ endpoint and list users within a workspace they have...

4.3CVSS6.6AI score0.00162EPSS
Exploits0References4
Rows per page
Query Builder