CVE-2025-62716

Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.1.0

Description Plane is open-source project management software. A flaw exists in the ?next path query parameter that allows attackers to supply arbitrary schemes, such as javascript:, which are then directly passed to router.push. This results in a cross-site scripting (XSS) issue, potentially enabling attackers to execute arbitrary JavaScript in a victim’s browser. The issue can be exploited without authentication and may lead to information disclosure, privilege escalation, and modifications of administrative settings. The vulnerable parameter is next path. The API endpoint involved is not explicitly mentioned.

Recommendations Update to version 1.1.0 or later.