CVE-2026-27706

High CVSS: 7.7

Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSRF) vulnerability has been identified in the "Add Link" feature. This flaw allows an authenticated attacker with general user privileges to send arbitrary GET requests to the internal network and exfiltrate the full response body. By exploiting this vulnerability, an attacker can steal sensitive data from internal services and cloud metadata endpoints. Version 1.2.2 fixes the issue.

Vendor

Plane

Product

Plane

CWE

CWE-918

Yayın Tarihi

2026-02-25 17:25:39

Güncelleme

2026-02-27 17:36:19

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-918 Plane HIGH Plane 2026

Referanslar

https://github.com/makeplane/plane/releases/tag/v1.2.2 https://github.com/makeplane/plane/security/advisories/GHSA-jcc6-f9v6-f7jw

Benzer Kayıtlar

High

CVE-2026-30242

Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/seri…

High

CVE-2026-30244

Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate work…

Medium

CVE-2026-27705

Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in…

Medium

CVE-2025-69284

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[…

Low

CVE-2025-48070

Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer tha…

Medium

CVE-2025-21616

Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane…