CVE-2026-39843

Name of the Vulnerable Software and Affected Versions Plane versions 0.28.0 through 1.2.9

Description Plane, an open-source project management tool, has an incomplete remediation for a Server-Side Request Forgery (SSRF) issue. An authenticated attacker with low privileges can exploit this by supplying a normal HTML page containing a link tag with an href attribute that redirects to a private IP address via the Add link functionality. The validation of redirects only applies to the main page URL, but not to the favicon fetch path. The fetch and encode favicon() function uses requests.get(favicon url, ...) with default redirect following, allowing the SSRF to occur.

Recommendations Update to Plane version 1.3.0 or later.