Vulnerabilities in makeplane
16 resultsCVE-2024-31461CRITICALPlane Server-Side Request Forgery (SSRF) VulnerabilityEPSS 0.7%CVE-2024-47830CRITICALPlane allows server side request forgery via /_next/image endpointEPSS 0.6%CVE-2026-30244HIGHPlane: Unauthenticated Workspace Member Information DisclosureEPSS 0.4%CVE-2025-62716HIGHPlane Vulnerable to Cross-Site Scripting via Open Redirect in ?next_path ParameterEPSS 0.3%CVE-2026-40102MEDIUMPlane: ORM Field Reference Injection via `segment` Parameter in Saved AnalyticsEPSS 0.3%CVE-2026-30242HIGHPlane: SSRF via Incomplete IP Validation in Webhook URL SerializerEPSS 0.3%CVE-2026-46558HIGHPlane: Cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspacesEPSS 0.3%CVE-2025-21616MEDIUMPlane has a Cross-site scripting (XSS) via SVG image uploadEPSS 0.3%CVE-2026-39843HIGHPlane has a Server-Side Request Forgery (SSRF) in Favicon FetchingEPSS 0.2%CVE-2025-48070LOWPlane has insecure permissions in UserSerializerEPSS 0.2%CVE-2026-27706HIGHPlane Vulnerable to Full Read SSRF via Favicon Fetching in "Add Link" FeatureEPSS 0.2%CVE-2026-27705MEDIUMPlane Vulnerable to Cross-Workspace/Cross-Project Asset Modification via IDOR in ProjectAssetEndpoint.patchEPSS 0.2%CVE-2026-39374MEDIUMPlane IDOR: Cross-Project Issue Date Modification via Bulk Update EndpointEPSS 0.2%CVE-2025-55203MEDIUMPlane Stored XSS in Add Work Item FunctionalityEPSS 0.2%CVE-2026-27949LOWPlane Exposes User Email (PII and part of credential) in GET ParameterEPSS 0.2%CVE-2025-69284MEDIUMIn plane.io, a Guest User to a Workspace can still be able to see list of membersEPSS 0.2%