CVE-2026-10850

UNKNOWN 0.0

Plane 1.3.1 - Stored XSS in intake issue description_html

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.

CWE	CWE-79
Vendor	plane
Product	plane
Published	Jun 17, 2026
Last Updated	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for plane plane

Be the first to know when new unknown vulnerabilities affecting plane plane are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Plane / Plane

1.3.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

fluidattacks.com: https://fluidattacks.com/es/advisories/earth github.com: https://github.com/makeplane/plane

Credits

Oscar Naveda