CVE Catalog
CVE-2026-10850
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk0.24%
15th percentile — higher than 15% of all known CVEs
Summary
Plane CE version 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake.
Risk Assessment
The ability to inject malicious code may lead to XSS attacks, posing a threat to the application's security and user data.
Recommendation
It is recommended to restrict permissions for project members and to validate and sanitize input data in the description_html field.
Original NVD description (English source)
Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.

