CVE-2026-10850 - Vulnerability Details - OpenCVE

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00243.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Plane	Plane

No data.

No data.

No data.

References

Link	Providers
https://fluidattacks.com/es/advisories/earth
https://github.com/makeplane/plane

History

Thu, 18 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.
Title		Plane 1.3.1 - Stored XSS in intake issue description_html
First Time appeared		Plane Plane plane
Weaknesses		CWE-79
CPEs		cpe:2.3:a:plane:plane:1.3.1::linux::::: cpe:2.3:a:plane:plane:1.3.1::macos::::: cpe:2.3:a:plane:plane:1.3.1::windows:::::
Vendors & Products		Plane Plane plane
References		https://fluidattacks.com/es/advisories/earth https://github.com/makeplane/plane
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published: 2026-06-17T14:39:51.370Z

Updated: 2026-06-17T15:39:40.388Z

Reserved: 2026-06-04T12:27:47.258Z

Link: CVE-2026-10850

Vulnrichment

Updated: 2026-06-17T15:39:32.385Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-10850", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2026-06-04T12:27:47.258Z", "datePublished": "2026-06-17T14:39:51.370Z", "dateUpdated": "2026-06-17T15:39:40.388Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "MacOS", "Linux"], "product": "Plane", "vendor": "Plane", "versions": [{"status": "affected", "version": "1.3.1"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plane:plane:1.3.1:*:windows:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:plane:plane:1.3.1:*:macos:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:plane:plane:1.3.1:*:linux:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Oscar Naveda"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.</span><br>"}], "value": "Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-06-17T14:39:51.370Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/es/advisories/earth"}, {"tags": ["product"], "url": "https://github.com/makeplane/plane"}], "source": {"discovery": "UNKNOWN"}, "title": "Plane 1.3.1 - Stored XSS in intake issue description_html", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"references": [{"url": "https://fluidattacks.com/es/advisories/earth", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-17T15:39:36.404624Z", "id": "CVE-2026-10850", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T15:39:40.388Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-10850", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-17T15:39:36.404624Z"}}}], "references": [{"url": "https://fluidattacks.com/es/advisories/earth", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T15:39:32.385Z"}}], "cna": {"title": "Plane 1.3.1 - Stored XSS in intake issue description_html", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Oscar Naveda"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Plane", "product": "Plane", "versions": [{"status": "affected", "version": "1.3.1"}], "platforms": ["Windows", "MacOS", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://fluidattacks.com/es/advisories/earth", "tags": ["third-party-advisory"]}, {"url": "https://github.com/makeplane/plane", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:plane:plane:1.3.1:*:windows:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:plane:plane:1.3.1:*:macos:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:plane:plane:1.3.1:*:linux:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-06-17T14:39:51.370Z"}}}, "cveMetadata": {"cveId": "CVE-2026-10850", "state": "PUBLISHED", "dateUpdated": "2026-06-17T15:39:40.388Z", "dateReserved": "2026-06-04T12:27:47.258Z", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "datePublished": "2026-06-17T14:39:51.370Z", "assignerShortName": "Fluid Attacks"}, "dataVersion": "5.2"}