PT-2026-50428 · Plane · Plane

Oscar Naveda

·

Published

2026-06-17

·

Updated

2026-06-17

·

CVE-2026-10850

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N
Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description html field when creating an intake work item through the API v1 intake endpoint.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-10850

Affected Products

Plane