CVE Catalog

CVE-2026-10850

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

Plane CE version 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake.

Risk Assessment

The ability to inject malicious code may lead to XSS attacks, posing a threat to the application's security and user data.

Recommendation

It is recommended to restrict permissions for project members and to validate and sanitize input data in the description_html field.

Original NVD description (English source)

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS