CVE-2025-21616

Name of the Vulnerable Software and Affected Versions Plane versions prior to 0.23

Description A cross-site scripting (XSS) vulnerability has been identified in Plane. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.

Recommendations For versions prior to 0.23, update to version 0.23 or later to resolve the issue. As a temporary workaround, consider disabling the ability to upload SVG files as profile images until a patch is available. Restrict access to the profile image feature to minimize the risk of exploitation. Avoid using the profile image feature with SVG files until the issue is resolved.