CVE-2025-65922

Name of the Vulnerable Software and Affected Versions PLANKA version 2.0.0

Description The application does not implement X-Frame-Options and CSP frame-ancestors headers, which allows it to be embedded within malicious iframes. This can expose users to phishing attacks through UI Redressing, potentially tricking them into entering sensitive information into overlaid fake forms. The supplier disputes this assessment, stating that SameSite=Strict cookies prevent authentication in cross-origin contexts and the browser’s Same-Origin Policy prevents access to iframe content. They argue that the security outcome depends on user trust in the parent page and that embedding the legitimate page adds no additional risk.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.